2 Replies Latest reply on Aug 15, 2003 6:30 AM by sanne

Deploy Jar which is password encrypted

sriram Aug 8, 2003 1:10 AM

See i have peculiar prob.I have hosted my application in at ISP and it connects to my databse.

Now the guy at ISP can access my application and change my business logic by opening the jar files.I want to provide a password encryption to the deployed jar files,so that nobody can change.Only the one who knows the password can open the jar and change the business logic.

Next since it access my database.I need to congiure the Jboss to my database.But if a guy at ISP opens the xml , he can know the URL,username and password and can directly access my database.How can we restrict access in these situation.

1. Re: Deploy Jar which is password encrypted

tthiele Aug 8, 2003 5:45 PM (in response to sriram)

this is a cute idea - but imho broken. Where do you want to place the code for reading the jar?

One should be aware that this game is _never_ to win 100 per cent on a hostile and foreign soil.

AFAIK the classloader can not access a password protected jar (didn't try to find out it yet). My recent approach was to sign the jar file and to place code at some places that verify the correct signature of the classes. But this isn't secure either because a vicious chap can disassemble the code and remove the verification snippets. Next step would be to use an byte code obfuscator... maybe in the next life...
Actions
2. Re: Deploy Jar which is password encrypted

sanne Aug 15, 2003 6:30 AM (in response to sriram)

I don't think it is worth it's salt, and you should problably solve your problem another way: but one can build a classloader that decrypts files before loading them. One has to extend the URL classloader:

http://www.javaworld.com/javaworld/javaqa/2003-05/01-qa-0509-jcrypt.html

In JBoss you also have to take care that the decrypted files do not end up unencrypted in the deployment cache.

If your serious about this, let me know.

Sanne
Actions

Go to original post