I'm developing a client (Swing-based) software which allows to send/receive files from a JBoss AS central repository, using the JBossWS web service implementation. The JBossWS version we use is the one that is bundled within the JBoss AS version, in order to ensure compatibility.
To allow this communication, our swing-based client software is going to be released with the required JBossWS client jars (taken from the JBossAS distribution). For now, we plan to put those JBossWS jars in a "lib" folder, placed directly under the client software's root folder. The rest of the client's code (the "proprietary" part) will be obfuscated.
My question is : in your opinion, should the JBossWS client jars be protected through the same obfuscation mecanism, in order to ensure maximum security ? And BTW, does JBoss authorize such mecanism for the jars/sources they deliver ?
I tried to found related questions on this forum and on the web, but found none. Actually, we are affraid one could override the endpoint's adress by switching the original JBossWS client jars placed in the "lib" folder, in order to obtain the sent/received files from the remote AS.
We are already securing the communication through HTTPS transport, signature and encryption. However, the client keystore providing the security configuration is not going to be part of the obfuscation process, as it has to be specific per customer (please note that the JBoss AS install is specific per customer too, and so each client specific keystore is associated to a server specific keystore). We believe one could change this client keystore, create a fake endpoint with a new server keystore, and redirect traffic to this fake endpoint by changing the JBossWS client jars. But maybe are we being a bit paranoiac ?
Our configuration :
- JDK 5
- JBoss AS 4.2.3 with JBossWS native 3.0.1
Any opinion about this point would be appreciated.