1 2 Previous Next 15 Replies Latest reply on Oct 16, 2013 8:51 AM by irbash

Encrypted class loading with jboss 5.1

irbash Feb 8, 2013 4:44 AM

Hello All,

We are using jboss 5.1 to deploy our application. Now we want to secure our .class files, so we are trying to encrypt the .class files.

but once we use encrypted .class files, jboss throws error (rather warnings saying

WARN [org.jboss.detailed.classloader.ClassLoaderManager] (main) Unexpected error during load of:xxx.xxx.UserController

java.lang.ClassFormatError: Unknown constant tag 80 in class file xxx/xxx/UserController)

To solve this issue, I got the source of jboss-classloader.jar (This jar is in /lib folder of jboss), and I saw that the class BaseClaseLoader is the class which finally calls jvm's classloader.

Hence I changed the code of BaseClassLoader's loadClassLocally method, and decrypted the class before it calls jvm's classloader. And it worked.

Now I dont want to modify jboss's source code hence I am looking for a way to do this without modifying the jboss libraries. I was going through http://java.dzone.com/articles/jboss-microcontainer-classloading and I feel it is possible to load encrypted classes into jboss by creating custom ClassLoaderPolicy. I tried a lot to do this, but I am not able to get it working.

Can some one tell me how I can add a custom class loader to jboss 5.1 which can decrypt the .class files before loading it.

Thanks,

Irfan

1. Re: Encrypted class loading with jboss 5.1

alesj Feb 9, 2013 4:46 PM (in response to irbash)

Now I dont want to modify jboss's source code hence I am looking for a way to do this without modifying the jboss libraries. I was going through http://java.dzone.com/articles/jboss-microcontainer-classloading and I feel it is possible to load encrypted classes into jboss by creating custom ClassLoaderPolicy. I tried a lot to do this, but I am not able to get it working.
Imo, this is the right way to do it.
What's the issue -- to not be able to make it work?

Or you can start-up AS with agent, in where you register ClassFileTransformer.

Also, I know I added ClassFileTransformer per ClassLoader, just dunno if this already made it into AS5.1.
Actions
2. Re: Encrypted class loading with jboss 5.1

irbash Feb 11, 2013 2:30 AM (in response to alesj)

Hi Ales,

Thanks for the reply.

What I mean by not able to make it work is:
I downloaded the complete demo from the svn, and I build it (only the classloader since I need only that) with ant script (not the pom maven), and after this I have a jar (jboss-demo-classloader.jar: with . crypt-beans.xml, regexp-beans.xml, bootstrap-beans.xml and cl-describe.xml in META-INF folder. I also took care of Main.java which is reference from ClassLoaderMain.java)

After this I don't know how to use this jar... I placed it in deploy folder hoping that it will be loaded but it dint. I tried placing it in /lib folder of jboss along with the jboss-classloader.jar and that dint work as well. I probably might be doing some simple mistake (or rather might be completely wrong) and I am stuck here.

If I understand it right (Please correct me if I am wrong), after I build this jar from the demo source the jboss has to use the two new classloaderpolicy's (depending on which one we mention in Main.setSystemProperty of ClassLoaderMain:
public class ClassLoaderMain
{
   public static void main(String[] args)
   {
      Main.setSystemProperty("demos.cl.policy", "regexp", false); // default CL policy

      Map<String, String> map = Collections.singletonMap(Main.CL_DESCRIBE, "C:/Users/irfan/workspace/jboss-classloader/META-INF/${demos.cl.policy}-beans.xml");
      Main.main(args, map);
   }
}

Please let me know what I am doing wrong. Am I doing something wrong in creating jar ? Or am I doing something wrong in placing the four xml's in META-INF ? or is there something else which I should do ?

Thanks,
Irfan
Actions
3. Re: Encrypted class loading with jboss 5.1

alesj Feb 11, 2013 4:32 AM (in response to irbash)

The main and (only) thing that you need to do is this deployer:
* http://anonsvn.jboss.org/repos/jbossas/projects/demos/microcontainer/trunk/classloader/src/main/java/org/jboss/demos/classloader/deployers/DecrypterClassLoaderPolicyModule.java

As you can see, we change the CL policy to CrypterClassLoaderPolicy.

Or the commented code, where we just add translator to policy.
This is a better / easier way, but I need to check if this is already available in AS5.1.

I also added a way to do this declarative, via xml, but I really doubt this one is in AS5.1,
meaning you're definitely have to do it via adding a custom deployer.
Actions
4. Re: Encrypted class loading with jboss 5.1

alesj Feb 11, 2013 4:39 AM (in response to alesj)

Or the commented code, where we just add translator to policy.
This is a better / easier way, but I need to check if this is already available in AS5.1.
This is already available in 2.0.5:
* http://anonsvn.jboss.org/repos/jbossas/projects/jboss-cl/tags/2.0.5.GA/classloader/src/main/java/org/jboss/classloader/spi/base/BaseClassLoaderPolicy.java
Actions
5. Re: Encrypted class loading with jboss 5.1

alesj Feb 11, 2013 4:48 AM (in response to alesj)

I also added a way to do this declarative, via xml, but I really doubt this one is in AS5.1,
meaning you're definitely have to do it via adding a custom deployer.
Yup, this one is not in 2.0.x, only in 2.2.x, which is not fully compatible with AS5.x, only with AS6.
* http://anonsvn.jboss.org/repos/jbossas/projects/jboss-deployers/trunk/deployers-impl/src/main/java/org/jboss/deployers/plugins/classloading/AbstractTranslatorsDeployer.java
Actions
6. Re: Encrypted class loading with jboss 5.1

irbash Feb 11, 2013 8:40 AM (in response to alesj)

Dear Ales,

I am confused again... So I have to do the following:
1. Write a ClassLoaderPolicyModule which extends VFSDeploymentClassLoaderPolicyModule and change the CL policy to CrypterClassLoaderPolicy similar to: http://anonsvn.jboss.org/repos/jbossas/projects/demos/microcontainer/trunk/classloader/src/main/java/org/jboss/demos/classloader/deployers/DecrypterClassLoaderPolicyModule.java
2. Write a custom deployer to deploy this classloaderpolicy

Is it correct ? (I am sorry if I am asking too trivial questions)

I didnot understand the better/easier way you mentioned... (the one with BaseClassLoaderPolicy.java)

Thanks,
Irfan
Actions
7. Re: Encrypted class loading with jboss 5.1

alesj Feb 11, 2013 9:13 AM (in response to irbash)

You need 3 things:

(a) custom DecrypyterTranslator

(b) custom ClassLoaderPolicyModule -- similar to DecrypterClassLoaderPolicyModule

But instead of providing full CLPolicy, you simply add translator from (a).

@Override
   protected VFSClassLoaderPolicy determinePolicy()
   {
      VFSClassLoaderPolicy policy = super.determinePolicy();
      policy.addTranslator(new DecrypterTranslator(decrypter));
      return policy;
   }

(c) custom deployer which creates DecrypterClassLoaderPolicyModule

* http://anonsvn.jboss.org/repos/jbossas/projects/demos/microcontainer/trunk/classloader/src/main/java/org/jboss/demos/classloader/deployers/DecrypterClassLoaderDescribeDeployer.java
Actions
8. Re: Encrypted class loading with jboss 5.1

irbash Feb 11, 2013 9:16 AM (in response to alesj)

Hi Ales,

Thanks for your reply. I'll try the steps you mentioned.

Regards,
Irfan
Actions
9. Re: Encrypted class loading with jboss 5.1

alesj Feb 11, 2013 9:23 AM (in response to irbash)

Like I said, the problem is that you have to modify AS instance / distribution -- adding this 3 custom classes + some config.
I only realized this is very useful in AS6+, to be done configurable.
Actions
10. Re: Encrypted class loading with jboss 5.1

irbash Feb 11, 2013 9:34 AM (in response to alesj)

These 3 custom classes will be a seperate jar isnt it ?
Actions
11. Re: Encrypted class loading with jboss 5.1

alesj Feb 11, 2013 9:58 AM (in response to irbash)

These 3 custom classes will be a seperate jar isnt it ?
Yes.

Plus you need to register this new deployer against current AS deployers.

But that is trivial to do -- simply create a MC bean / pojo from it,
and AS will pick it up automagically. :-)
Actions
12. Re: Encrypted class loading with jboss 5.1

irbash Oct 14, 2013 9:52 AM (in response to alesj)

Hi Ales,

Is it possible to make a JNI call from the custom DecrypyterTranslator class ?

I want to move to decrypting logic to C++ program and call it using JNI.

I have been trying to do this and am getting UnSatisfiedLinkError...
I have placed the dll in the PATH...

Can you suggest how to achieve this...

Thanks in advance,
Irfan
Actions
13. Re: Encrypted class loading with jboss 5.1

ctomc Oct 16, 2013 5:45 AM (in response to irbash)

It looks like you did not configure path properly.

you can try putting in bin folder of AS (next to startup scripts) or even on global system path.
Actions
14. Re: Encrypted class loading with jboss 5.1

irbash Oct 16, 2013 6:41 AM (in response to ctomc)

Hi Tomaz Cerar,

Thanks for the reply.

I have placed the dll in the path, and I am sure of that because:
1. The statement System.loadLibrary("mylibrary"); is working fine.
2. If I remove the dll from the path, then the above statement gives error.

So I assume that the dll is in the path.

The error is thrown when I call the native method.

Since the error says UnsatisfiedLinkError, it is not able to load the library (which is what confuses me... since it was able to load it in the static method but it is not able to use it)

btw, I added the JBoss/bin and also JBoss/lib folder to the path... still same error.

Thanks,
Irfan
Actions

1 2 Previous Next

Go to original post