Hi everybody,

our application has to be hosted on untrusted machines. So we want wo protect our software against copy-theft and maybe also reverse-engeneering. Just to clear it out beforehand: We know that there is no utlimate protection and that we are just talking about making it harder to do evil stuff.

We found a code-encryption & licensing tool that is based on class-file-encryption and would suit our needs on "making it harder". From our perspective it has 2 integral parts:

• a ClassLoader that decrypts the class-files
• a native library that manages dongles, watches out for debuggers, looks for jvm modifications, ...

We would like to use the tool to encrypt the class-files of our application. We see at least 2 points which can cause problems with the JBoss (AS7)

• jboss-modules may at some point override the setting for java.system.class.loader or use the ClassLoader in a way that is not compatible with the encrypted classes
• during the deployment the jboss may scan for stuff (like annotations) before the classes are decrypted (not sure if this can happen, but deployment in general seems important)

What do you think: What do you think about integrating such a decrypting class-loader? What would need to be done to fix these problems? Are there any other possible problems? And by the way if you know any copy-protection stuff that already works with the JBoss, we would be happy to know.

regards!

P.S.: By now we already have a system that changes java.system.class.loader and ends up in class-loading issues during the deployment of our (encrypted) application.