Re: [OT] obsfucating struts web application
Hi - I tried this approach after my initial question My app uses dispatch action classes with parameter configured to method names. I have used ProGuard and configured in a such a way that public methods of Action classes are left untouched. (no name change) My each public Action method has very little info or obvious info from the browser form data handling. I delegated control flow and business logic to private methods. So, I did not need to mess around with renaming struts config entries though it's possible with proguard as it generates some kind of mapping in order to view the stacktrace of an exception My next task is how to hide log.debug(methodName) :) Any ideas? -Regards Sumo On 12/12/05, Raghu Kanchustambham [EMAIL PROTECTED] wrote: Hey Erik... Just curious.. would you not have these problems at the inner layers too? Let us say ... I use Hibernate to persist my objects... since I would have to use xml mapping files between classes and database tables... I can not obfuscate my business/persistent objects as well in a straight forward fashion! May be the obfuscation tool need to look for string references as wellin the same way as an advanced refactoring IDE would do... or something like that to make our life simple! :-) ~raghu On 12/9/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have used KlassMaster on distributions that contain Struts classes before, and I took your approach as I recall. I didn't obfuscate Action classes, but there was nothing important in them anyway. Also, KlassMaster has a great scripting language for getting around the problems you mention, and it knows how to edit web.xml, etc. In my opinion, it is well worth the price ($400 for a single license last time I checked). Erik -Original Message- From: Raghu Kanchustambham [EMAIL PROTECTED] Sent: Dec 9, 2005 4:38 AM To: Struts Users Mailing List user@struts.apache.org Subject: Re: [OT] obsfucating struts web application Laurie.. are you sure this will work? Let us say i have a mapping that maps to a TelephoneAction in my strus-config.xml... the class name will get 'garbled' after obfuscation. When a hit is made, the struts runtime will look up the TelephoneAction class to forward the request and notices there is no class with that name anymore! Whether bytecode or sourcecode obfuscation, this problem will still persist! One solution: Use the option *not* to obfuscate classnames of action classes. But are we done? Not yet... what if we use dispatch action class? By similar logic, you should leave even your method names unobfuscated! So that isnt too good... One of my friends suggested one ways to obfuscate the action class names and methods.As a part of obfuscation process generate a file containing mappings from old names to new names. Then based on this generated file, you can write a script to work on config.xml to find and replace the unobfuscated names with those from the mappings file generated. Some amount of work, but I guess it should work. The other approach is not to obfuscate action class names and method names in them. Just do flow obfuscation on these action classes. Action classes by design would not have too much business code in them .. as they would be delegated to some business classes. Even if complex code (in terms of number of lines) does exist in them, flow obfuscation will make it difficult to read them. If they are fewer number of lines, then it may be easy to break flow obfuscation, but then in most cases the code would be so simple that it is OK that the hacker knows it ! ;-) Since rest of the classes (other than action classes) are obfuscated with out any constraints, you should be safe... at most your action classes would be broken into. May be .. you can treat your action classes like the DMZ (demilitarized zone). Dont know if some tools support all what has been written so far. If they do someone please let us know! :-) Regards, Raghu On 11/20/05, Laurie Harper [EMAIL PROTECTED] wrote: su mo wrote: Hi, I have STRUTS 1.2.7 based web application which I want to protect the decompilation of class files. I would like to obsfucate the code using JShrink or other obsfucating tools. I am wondering if anyone done this before to make the Struts 1.2.7based web application work with obsfucated class files. I want to mention that I am using Dispatch action with parameters attribute, so my method names and class names are clear text on the struts-config.xml A byte-code obfuscator should have no effect on the way a class runs. Unless you obfuscate at the source code level before compiling (which would cause all sorts of problems) you shouldn't need to worry about it. L
Re: [OT] obsfucating struts web application
Well, yes, but KlassMaster (sounds like ProGuard has this too) allows you to go in and manually rename stuff that can't be renamed automatically. So, the more XML-Java bindings you have, the more work it's going to be, but the people who develop the obfuscators know this, so they (we hope) give you tools to get around it. Probably won't be long before they all have plugins for all the various frameworks people love to use, and you won't have to do anything manually. But often, I find that the class that is configured dynamically (such as a Struts Action class) is merely a facade or an adapter, and so you can live without obfuscating it unless you really need flow control obfuscation. I haven't used Hibernate, so I'm not sure how painful that would be . . . Erik -Original Message- From: Raghu Kanchustambham [EMAIL PROTECTED] Sent: Dec 11, 2005 3:22 PM To: Struts Users Mailing List user@struts.apache.org, [EMAIL PROTECTED] Subject: Re: [OT] obsfucating struts web application Hey Erik... Just curious.. would you not have these problems at the inner layers too? Let us say ... I use Hibernate to persist my objects... since I would have to use xml mapping files between classes and database tables... I can not obfuscate my business/persistent objects as well in a straight forward fashion! May be the obfuscation tool need to look for string references as wellin the same way as an advanced refactoring IDE would do... or something like that to make our life simple! :-) ~raghu - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] obsfucating struts web application
this is straight from the docs available at http://jakarta.apache.org/commons/logging/apidocs/org/apache/commons/logging/Log.html /*only enable when debug is enabled*/ if (log.isDebugEnabled()) { log.debug(whatever); } Martin- - Original Message - From: su mo [EMAIL PROTECTED] To: Struts Users Mailing List user@struts.apache.org Sent: Monday, December 12, 2005 6:33 AM Subject: Re: [OT] obsfucating struts web application Hi - I tried this approach after my initial question My app uses dispatch action classes with parameter configured to method names. I have used ProGuard and configured in a such a way that public methods of Action classes are left untouched. (no name change) My each public Action method has very little info or obvious info from the browser form data handling. I delegated control flow and business logic to private methods. So, I did not need to mess around with renaming struts config entries though it's possible with proguard as it generates some kind of mapping in order to view the stacktrace of an exception My next task is how to hide log.debug(methodName) :) Any ideas? -Regards Sumo On 12/12/05, Raghu Kanchustambham [EMAIL PROTECTED] wrote: Hey Erik... Just curious.. would you not have these problems at the inner layers too? Let us say ... I use Hibernate to persist my objects... since I would have to use xml mapping files between classes and database tables... I can not obfuscate my business/persistent objects as well in a straight forward fashion! May be the obfuscation tool need to look for string references as wellin the same way as an advanced refactoring IDE would do... or something like that to make our life simple! :-) ~raghu On 12/9/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have used KlassMaster on distributions that contain Struts classes before, and I took your approach as I recall. I didn't obfuscate Action classes, but there was nothing important in them anyway. Also, KlassMaster has a great scripting language for getting around the problems you mention, and it knows how to edit web.xml, etc. In my opinion, it is well worth the price ($400 for a single license last time I checked). Erik -Original Message- From: Raghu Kanchustambham [EMAIL PROTECTED] Sent: Dec 9, 2005 4:38 AM To: Struts Users Mailing List user@struts.apache.org Subject: Re: [OT] obsfucating struts web application Laurie.. are you sure this will work? Let us say i have a mapping that maps to a TelephoneAction in my strus-config.xml... the class name will get 'garbled' after obfuscation. When a hit is made, the struts runtime will look up the TelephoneAction class to forward the request and notices there is no class with that name anymore! Whether bytecode or sourcecode obfuscation, this problem will still persist! One solution: Use the option *not* to obfuscate classnames of action classes. But are we done? Not yet... what if we use dispatch action class? By similar logic, you should leave even your method names unobfuscated! So that isnt too good... One of my friends suggested one ways to obfuscate the action class names and methods.As a part of obfuscation process generate a file containing mappings from old names to new names. Then based on this generated file, you can write a script to work on config.xml to find and replace the unobfuscated names with those from the mappings file generated. Some amount of work, but I guess it should work. The other approach is not to obfuscate action class names and method names in them. Just do flow obfuscation on these action classes. Action classes by design would not have too much business code in them .. as they would be delegated to some business classes. Even if complex code (in terms of number of lines) does exist in them, flow obfuscation will make it difficult to read them. If they are fewer number of lines, then it may be easy to break flow obfuscation, but then in most cases the code would be so simple that it is OK that the hacker knows it ! ;-) Since rest of the classes (other than action classes) are obfuscated with out any constraints, you should be safe... at most your action classes would be broken into. May be .. you can treat your action classes like the DMZ (demilitarized zone). Dont know if some tools support all what has been written so far. If they do someone please let us know! :-) Regards, Raghu On 11/20/05, Laurie Harper [EMAIL PROTECTED] wrote: su mo wrote: Hi, I have STRUTS 1.2.7 based web application which I want to protect the decompilation of class files. I would like to obsfucate the code using JShrink or other obsfucating tools. I am wondering if anyone done this before to make the Struts 1.2.7based web application work with obsfucated class files. I want to mention that I am using Dispatch action with parameters attribute, so my method names and class names are clear text
Re: [OT] obsfucating struts web application
Hmm, perhaps I misunderstood. I thought what he was saying was, he wants to obfuscate the method name whatever, so the log.debug argument has to be changed as well . . . However, if the value of log.isDebugEnabled can be discovered at compile time (not sure how commons logging works), perhaps conditional compilation (if it exists) would leave this statement out of your distribution class file? Erik -Original Message- From: Martin Gainty [EMAIL PROTECTED] Sent: Dec 12, 2005 9:19 AM To: Struts Users Mailing List user@struts.apache.org Subject: Re: [OT] obsfucating struts web application this is straight from the docs available at http://jakarta.apache.org/commons/logging/apidocs/org/apache/commons/logging/Log.html /*only enable when debug is enabled*/ if (log.isDebugEnabled()) { log.debug(whatever); } Martin- - Original Message - From: su mo [EMAIL PROTECTED] To: Struts Users Mailing List user@struts.apache.org Sent: Monday, December 12, 2005 6:33 AM Subject: Re: [OT] obsfucating struts web application Hi - I tried this approach after my initial question My app uses dispatch action classes with parameter configured to method names. I have used ProGuard and configured in a such a way that public methods of Action classes are left untouched. (no name change) My each public Action method has very little info or obvious info from the browser form data handling. I delegated control flow and business logic to private methods. So, I did not need to mess around with renaming struts config entries though it's possible with proguard as it generates some kind of mapping in order to view the stacktrace of an exception My next task is how to hide log.debug(methodName) :) Any ideas? -Regards Sumo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] obsfucating struts web application
If someone decompile the obsfucated classes which have log.debug, they can easily put the original names with obsfucated method names. and if they see the log statements in sources, they can set up log4j properties with specific package enabled to get the control flow etc.. I think I was not clear earlier. Let me rephrase. - I want log.debug() for me but not for my binary distributions. I can globally replace log.debug to //log.debug in eclipse before packaging. But was looking for other ways to do it Sorry if the context is too deviating from Struts mailing list Thanks everyone On 12/12/05, Martin Gainty [EMAIL PROTECTED] wrote: this is straight from the docs available at http://jakarta.apache.org/commons/logging/apidocs/org/apache/commons/logging/Log.html /*only enable when debug is enabled*/ if (log.isDebugEnabled()) { log.debug(whatever); } Martin- - Original Message - From: su mo [EMAIL PROTECTED] To: Struts Users Mailing List user@struts.apache.org Sent: Monday, December 12, 2005 6:33 AM Subject: Re: [OT] obsfucating struts web application Hi - I tried this approach after my initial question My app uses dispatch action classes with parameter configured to method names. I have used ProGuard and configured in a such a way that public methods of Action classes are left untouched. (no name change) My each public Action method has very little info or obvious info from the browser form data handling. I delegated control flow and business logic to private methods. So, I did not need to mess around with renaming struts config entries though it's possible with proguard as it generates some kind of mapping in order to view the stacktrace of an exception My next task is how to hide log.debug(methodName) :) Any ideas? -Regards Sumo On 12/12/05, Raghu Kanchustambham [EMAIL PROTECTED] wrote: Hey Erik... Just curious.. would you not have these problems at the inner layers too? Let us say ... I use Hibernate to persist my objects... since I would have to use xml mapping files between classes and database tables... I can not obfuscate my business/persistent objects as well in a straight forward fashion! May be the obfuscation tool need to look for string references as wellin the same way as an advanced refactoring IDE would do... or something like that to make our life simple! :-) ~raghu On 12/9/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have used KlassMaster on distributions that contain Struts classes before, and I took your approach as I recall. I didn't obfuscate Action classes, but there was nothing important in them anyway. Also, KlassMaster has a great scripting language for getting around the problems you mention, and it knows how to edit web.xml, etc. In my opinion, it is well worth the price ($400 for a single license last time I checked). Erik -Original Message- From: Raghu Kanchustambham [EMAIL PROTECTED] Sent: Dec 9, 2005 4:38 AM To: Struts Users Mailing List user@struts.apache.org Subject: Re: [OT] obsfucating struts web application Laurie.. are you sure this will work? Let us say i have a mapping that maps to a TelephoneAction in my strus-config.xml... the class name will get 'garbled' after obfuscation. When a hit is made, the struts runtime will look up the TelephoneAction class to forward the request and notices there is no class with that name anymore! Whether bytecode or sourcecode obfuscation, this problem will still persist! One solution: Use the option *not* to obfuscate classnames of action classes. But are we done? Not yet... what if we use dispatch action class? By similar logic, you should leave even your method names unobfuscated! So that isnt too good... One of my friends suggested one ways to obfuscate the action class names and methods.As a part of obfuscation process generate a file containing mappings from old names to new names. Then based on this generated file, you can write a script to work on config.xml to find and replace the unobfuscated names with those from the mappings file generated. Some amount of work, but I guess it should work. The other approach is not to obfuscate action class names and method names in them. Just do flow obfuscation on these action classes. Action classes by design would not have too much business code in them .. as they would be delegated to some business classes. Even if complex code (in terms of number of lines) does exist in them, flow obfuscation will make it difficult to read them. If they are fewer number of lines, then it may be easy to break flow obfuscation, but then in most cases the code would be so simple that it is OK that the hacker knows it ! ;-) Since rest of the classes (other than action classes) are obfuscated
Re: [OT] obsfucating struts web application
you need to setup at least 2 environments One for debug/development One for release When in debug/development you are in DEBUG mode which means you will generate and be able to see the logs When you are in release DEBUG is not enabled which means you will not be logging code which contains log/debug statements should not be put into production/release For more information look at the debugEnabled feature from Log4j available at http://logging.apache.org/log4j/docs/api-unstable/org/apache/log4j/helpers/LogLog.html Martin- - Original Message - From: su mo To: Struts Users Mailing List ; Martin Gainty Sent: Monday, December 12, 2005 9:40 AM Subject: Re: [OT] obsfucating struts web application If someone decompile the obsfucated classes which have log.debug, they can easily put the original names with obsfucated method names. and if they see the log statements in sources, they can set up log4j properties with specific package enabled to get the control flow etc.. I think I was not clear earlier. Let me rephrase. - I want log.debug() for me but not for my binary distributions. I can globally replace log.debug to //log.debug in eclipse before packaging. But was looking for other ways to do it Sorry if the context is too deviating from Struts mailing list Thanks everyone On 12/12/05, Martin Gainty [EMAIL PROTECTED] wrote: this is straight from the docs available at http://jakarta.apache.org/commons/logging/apidocs/org/apache/commons/logging/Log.html /*only enable when debug is enabled*/ if (log.isDebugEnabled()) { log.debug(whatever); } Martin- - Original Message - From: su mo [EMAIL PROTECTED] To: Struts Users Mailing List user@struts.apache.org Sent: Monday, December 12, 2005 6:33 AM Subject: Re: [OT] obsfucating struts web application Hi - I tried this approach after my initial question My app uses dispatch action classes with parameter configured to method names. I have used ProGuard and configured in a such a way that public methods of Action classes are left untouched. (no name change) My each public Action method has very little info or obvious info from the browser form data handling. I delegated control flow and business logic to private methods. So, I did not need to mess around with renaming struts config entries though it's possible with proguard as it generates some kind of mapping in order to view the stacktrace of an exception My next task is how to hide log.debug(methodName) :) Any ideas? -Regards Sumo On 12/12/05, Raghu Kanchustambham [EMAIL PROTECTED] wrote: Hey Erik... Just curious.. would you not have these problems at the inner layers too? Let us say ... I use Hibernate to persist my objects... since I would have to use xml mapping files between classes and database tables... I can not obfuscate my business/persistent objects as well in a straight forward fashion! May be the obfuscation tool need to look for string references as wellin the same way as an advanced refactoring IDE would do... or something like that to make our life simple! :-) ~raghu On 12/9/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have used KlassMaster on distributions that contain Struts classes before, and I took your approach as I recall. I didn't obfuscate Action classes, but there was nothing important in them anyway. Also, KlassMaster has a great scripting language for getting around the problems you mention, and it knows how to edit web.xml, etc. In my opinion, it is well worth the price ($400 for a single license last time I checked). Erik -Original Message- From: Raghu Kanchustambham [EMAIL PROTECTED] Sent: Dec 9, 2005 4:38 AM To: Struts Users Mailing List user@struts.apache.org Subject: Re: [OT] obsfucating struts web application Laurie.. are you sure this will work? Let us say i have a mapping that maps to a TelephoneAction in my strus-config.xml... the class name will get 'garbled' after obfuscation. When a hit is made, the struts runtime will look up the TelephoneAction class to forward the request and notices there is no class with that name anymore! Whether bytecode or sourcecode obfuscation, this problem will still persist! One solution: Use the option *not* to obfuscate classnames of action classes. But are we done? Not yet... what if we use dispatch action class? By similar logic, you should leave even your method names unobfuscated! So that isnt too good... One of my friends suggested one ways to obfuscate the action class names
Re: [OT] obsfucating struts web application
Hey Erik... Just curious.. would you not have these problems at the inner layers too? Let us say ... I use Hibernate to persist my objects... since I would have to use xml mapping files between classes and database tables... I can not obfuscate my business/persistent objects as well in a straight forward fashion! May be the obfuscation tool need to look for string references as wellin the same way as an advanced refactoring IDE would do... or something like that to make our life simple! :-) ~raghu On 12/9/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have used KlassMaster on distributions that contain Struts classes before, and I took your approach as I recall. I didn't obfuscate Action classes, but there was nothing important in them anyway. Also, KlassMaster has a great scripting language for getting around the problems you mention, and it knows how to edit web.xml, etc. In my opinion, it is well worth the price ($400 for a single license last time I checked). Erik -Original Message- From: Raghu Kanchustambham [EMAIL PROTECTED] Sent: Dec 9, 2005 4:38 AM To: Struts Users Mailing List user@struts.apache.org Subject: Re: [OT] obsfucating struts web application Laurie.. are you sure this will work? Let us say i have a mapping that maps to a TelephoneAction in my strus-config.xml... the class name will get 'garbled' after obfuscation. When a hit is made, the struts runtime will look up the TelephoneAction class to forward the request and notices there is no class with that name anymore! Whether bytecode or sourcecode obfuscation, this problem will still persist! One solution: Use the option *not* to obfuscate classnames of action classes. But are we done? Not yet... what if we use dispatch action class? By similar logic, you should leave even your method names unobfuscated! So that isnt too good... One of my friends suggested one ways to obfuscate the action class names and methods.As a part of obfuscation process generate a file containing mappings from old names to new names. Then based on this generated file, you can write a script to work on config.xml to find and replace the unobfuscated names with those from the mappings file generated. Some amount of work, but I guess it should work. The other approach is not to obfuscate action class names and method names in them. Just do flow obfuscation on these action classes. Action classes by design would not have too much business code in them .. as they would be delegated to some business classes. Even if complex code (in terms of number of lines) does exist in them, flow obfuscation will make it difficult to read them. If they are fewer number of lines, then it may be easy to break flow obfuscation, but then in most cases the code would be so simple that it is OK that the hacker knows it ! ;-) Since rest of the classes (other than action classes) are obfuscated with out any constraints, you should be safe... at most your action classes would be broken into. May be .. you can treat your action classes like the DMZ (demilitarized zone). Dont know if some tools support all what has been written so far. If they do someone please let us know! :-) Regards, Raghu On 11/20/05, Laurie Harper [EMAIL PROTECTED] wrote: su mo wrote: Hi, I have STRUTS 1.2.7 based web application which I want to protect the decompilation of class files. I would like to obsfucate the code using JShrink or other obsfucating tools. I am wondering if anyone done this before to make the Struts 1.2.7based web application work with obsfucated class files. I want to mention that I am using Dispatch action with parameters attribute, so my method names and class names are clear text on the struts-config.xml A byte-code obfuscator should have no effect on the way a class runs. Unless you obfuscate at the source code level before compiling (which would cause all sorts of problems) you shouldn't need to worry about it. L. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] obsfucating struts web application
Laurie.. are you sure this will work? Let us say i have a mapping that maps to a TelephoneAction in my strus-config.xml... the class name will get 'garbled' after obfuscation. When a hit is made, the struts runtime will look up the TelephoneAction class to forward the request and notices there is no class with that name anymore! Whether bytecode or sourcecode obfuscation, this problem will still persist! One solution: Use the option *not* to obfuscate classnames of action classes. But are we done? Not yet... what if we use dispatch action class? By similar logic, you should leave even your method names unobfuscated! So that isnt too good... One of my friends suggested one ways to obfuscate the action class names and methods.As a part of obfuscation process generate a file containing mappings from old names to new names. Then based on this generated file, you can write a script to work on config.xml to find and replace the unobfuscated names with those from the mappings file generated. Some amount of work, but I guess it should work. The other approach is not to obfuscate action class names and method names in them. Just do flow obfuscation on these action classes. Action classes by design would not have too much business code in them .. as they would be delegated to some business classes. Even if complex code (in terms of number of lines) does exist in them, flow obfuscation will make it difficult to read them. If they are fewer number of lines, then it may be easy to break flow obfuscation, but then in most cases the code would be so simple that it is OK that the hacker knows it ! ;-) Since rest of the classes (other than action classes) are obfuscated with out any constraints, you should be safe... at most your action classes would be broken into. May be .. you can treat your action classes like the DMZ (demilitarized zone). Dont know if some tools support all what has been written so far. If they do someone please let us know! :-) Regards, Raghu On 11/20/05, Laurie Harper [EMAIL PROTECTED] wrote: su mo wrote: Hi, I have STRUTS 1.2.7 based web application which I want to protect the decompilation of class files. I would like to obsfucate the code using JShrink or other obsfucating tools. I am wondering if anyone done this before to make the Struts 1.2.7 based web application work with obsfucated class files. I want to mention that I am using Dispatch action with parameters attribute, so my method names and class names are clear text on the struts-config.xml A byte-code obfuscator should have no effect on the way a class runs. Unless you obfuscate at the source code level before compiling (which would cause all sorts of problems) you shouldn't need to worry about it. L. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] obsfucating struts web application
I have used KlassMaster on distributions that contain Struts classes before, and I took your approach as I recall. I didn't obfuscate Action classes, but there was nothing important in them anyway. Also, KlassMaster has a great scripting language for getting around the problems you mention, and it knows how to edit web.xml, etc. In my opinion, it is well worth the price ($400 for a single license last time I checked). Erik -Original Message- From: Raghu Kanchustambham [EMAIL PROTECTED] Sent: Dec 9, 2005 4:38 AM To: Struts Users Mailing List user@struts.apache.org Subject: Re: [OT] obsfucating struts web application Laurie.. are you sure this will work? Let us say i have a mapping that maps to a TelephoneAction in my strus-config.xml... the class name will get 'garbled' after obfuscation. When a hit is made, the struts runtime will look up the TelephoneAction class to forward the request and notices there is no class with that name anymore! Whether bytecode or sourcecode obfuscation, this problem will still persist! One solution: Use the option *not* to obfuscate classnames of action classes. But are we done? Not yet... what if we use dispatch action class? By similar logic, you should leave even your method names unobfuscated! So that isnt too good... One of my friends suggested one ways to obfuscate the action class names and methods.As a part of obfuscation process generate a file containing mappings from old names to new names. Then based on this generated file, you can write a script to work on config.xml to find and replace the unobfuscated names with those from the mappings file generated. Some amount of work, but I guess it should work. The other approach is not to obfuscate action class names and method names in them. Just do flow obfuscation on these action classes. Action classes by design would not have too much business code in them .. as they would be delegated to some business classes. Even if complex code (in terms of number of lines) does exist in them, flow obfuscation will make it difficult to read them. If they are fewer number of lines, then it may be easy to break flow obfuscation, but then in most cases the code would be so simple that it is OK that the hacker knows it ! ;-) Since rest of the classes (other than action classes) are obfuscated with out any constraints, you should be safe... at most your action classes would be broken into. May be .. you can treat your action classes like the DMZ (demilitarized zone). Dont know if some tools support all what has been written so far. If they do someone please let us know! :-) Regards, Raghu On 11/20/05, Laurie Harper [EMAIL PROTECTED] wrote: su mo wrote: Hi, I have STRUTS 1.2.7 based web application which I want to protect the decompilation of class files. I would like to obsfucate the code using JShrink or other obsfucating tools. I am wondering if anyone done this before to make the Struts 1.2.7 based web application work with obsfucated class files. I want to mention that I am using Dispatch action with parameters attribute, so my method names and class names are clear text on the struts-config.xml A byte-code obfuscator should have no effect on the way a class runs. Unless you obfuscate at the source code level before compiling (which would cause all sorts of problems) you shouldn't need to worry about it. L. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] obsfucating struts web application
I haven't used Java obfuscation tools so I can't say for sure, but I would expect them to somehow 'fix' the internal symbol tables in the obfuscated class files to account for all that. After all, if they didn't then anything that used reflection or introspection would be completely broken once you obfuscated. Unless your obfuscation tool specifically documents that it will not work with such code, you should be fine. As I said, though, I haven't used one so YMMV. L. Raghu Kanchustambham wrote: Laurie.. are you sure this will work? Let us say i have a mapping that maps to a TelephoneAction in my strus-config.xml... the class name will get 'garbled' after obfuscation. When a hit is made, the struts runtime will look up the TelephoneAction class to forward the request and notices there is no class with that name anymore! Whether bytecode or sourcecode obfuscation, this problem will still persist! One solution: Use the option *not* to obfuscate classnames of action classes. But are we done? Not yet... what if we use dispatch action class? By similar logic, you should leave even your method names unobfuscated! So that isnt too good... One of my friends suggested one ways to obfuscate the action class names and methods.As a part of obfuscation process generate a file containing mappings from old names to new names. Then based on this generated file, you can write a script to work on config.xml to find and replace the unobfuscated names with those from the mappings file generated. Some amount of work, but I guess it should work. The other approach is not to obfuscate action class names and method names in them. Just do flow obfuscation on these action classes. Action classes by design would not have too much business code in them .. as they would be delegated to some business classes. Even if complex code (in terms of number of lines) does exist in them, flow obfuscation will make it difficult to read them. If they are fewer number of lines, then it may be easy to break flow obfuscation, but then in most cases the code would be so simple that it is OK that the hacker knows it ! ;-) Since rest of the classes (other than action classes) are obfuscated with out any constraints, you should be safe... at most your action classes would be broken into. May be .. you can treat your action classes like the DMZ (demilitarized zone). Dont know if some tools support all what has been written so far. If they do someone please let us know! :-) Regards, Raghu On 11/20/05, Laurie Harper [EMAIL PROTECTED] wrote: su mo wrote: Hi, I have STRUTS 1.2.7 based web application which I want to protect the decompilation of class files. I would like to obsfucate the code using JShrink or other obsfucating tools. I am wondering if anyone done this before to make the Struts 1.2.7 based web application work with obsfucated class files. I want to mention that I am using Dispatch action with parameters attribute, so my method names and class names are clear text on the struts-config.xml A byte-code obfuscator should have no effect on the way a class runs. Unless you obfuscate at the source code level before compiling (which would cause all sorts of problems) you shouldn't need to worry about it. L. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] obsfucating struts web application
su mo wrote: Hi, I have STRUTS 1.2.7 based web application which I want to protect the decompilation of class files. I would like to obsfucate the code using JShrink or other obsfucating tools. I am wondering if anyone done this before to make the Struts 1.2.7 based web application work with obsfucated class files. I want to mention that I am using Dispatch action with parameters attribute, so my method names and class names are clear text on the struts-config.xml A byte-code obfuscator should have no effect on the way a class runs. Unless you obfuscate at the source code level before compiling (which would cause all sorts of problems) you shouldn't need to worry about it. L. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
obsfucating struts web application
Hi, I have STRUTS 1.2.7 based web application which I want to protect the decompilation of class files. I would like to obsfucate the code using JShrink or other obsfucating tools. I am wondering if anyone done this before to make the Struts 1.2.7 based web application work with obsfucated class files. I want to mention that I am using Dispatch action with parameters attribute, so my method names and class names are clear text on the struts-config.xml Regards Sumo -