1 Reply Latest reply on Mar 7, 2011 6:34 PM by Tim Evers

    How to acheieve Bytecode obfuscation with Seam project

    Amit Kamble Newbie


      Hi all, 
      
             I am new to seam framework.I need some help regarding Bytecode obfuscation. 
      How to protect source code(i.e. bytecode) from reverse engineering.
      Please suggest me the proper way to do this with seam project.
             For this currently I am using "Proguard(i.e. Obfuscation tool)" to obfuscate the bytecode but it is not working properly. 
      
               Thanks in advance!



        • 1. Re: How to acheieve Bytecode obfuscation with Seam project
          Tim Evers Master

          I'm a 'little' confused as to why you are obfuscating Seam byte code. If you're security is set up right then no one should have access to the class files or byte code anyway. That's one of the nice things about web apps. If untrusted users can get access to these files then you have bigger problems.


          But, for the sake of argument....let's look at what obfuscators do to your class files and see why you are going to run into problems.


          Let's say you have this SeamBean


          @Name("MyBean")
          @Scope(CONVERSATION)
          public class MyBean {
          
              String name;
              String address;
          
              public String getName() {
                  return this.name;
              }
          
              public String setName(String name) {
                  this.name = name;;
              }
          
              public String getAddress() {
                  return this.address;
              }
          
              public String setAddress(String address) {
                  this.address = address;;
              }
          }
          



          And this xhtml fragment


          ...
          <h:outputText value="#{MyBean.name}" />
          <h:outputText value="#{MyBean.address}" />
          




          So, now you obfuscate your code. Look at what happens to MyBean!


          @Name("MyBean")
          @Scope(CONVERSATION)
          public class MyBean {
          
              String a;
              String b;
          
              public String getA() {
                  return this.a;
              }
          
              public String setA(String a) {
                  this.a= a;;
              }
          
              public String getB() {
                  return this.b;
              }
          
              public String setB(String b) {
                  this.b= b;;
              }
          }
          



          But, your xhtml is still...


          ...
          <h:outputText value="#{MyBean.name}" />
          <h:outputText value="#{MyBean.address}" />
          



          Can you see the problem? The EL expressions are all wrong now. EL expressions are NOT compiled, they are evaluated at runtime. Obfuscating is not going to work. Maybe someone has written a tool that will perform the necessary changes to EL expressions but I very much doubt it will work 100%.


          I think at the end of the day obfuscating the java class files of a web app is probably not necessary. People should never be able to access anything inside the WEB-INF directory so that protects you from people trying to decompile your class files.