Re: [OT] obsfucating struts web application
Hi - I tried this approach after my initial question My app uses dispatch action classes with parameter configured to method names. I have used ProGuard and configured in a such a way that public methods of Action classes are left untouched. (no name change) My each public Action method has very little info or obvious info from the browser form data handling. I delegated control flow and business logic to private methods. So, I did not need to mess around with renaming struts config entries though it's possible with proguard as it generates some kind of mapping in order to view the stacktrace of an exception My next task is how to hide log.debug(methodName) :) Any ideas? -Regards Sumo On 12/12/05, Raghu Kanchustambham [EMAIL PROTECTED] wrote: Hey Erik... Just curious.. would you not have these problems at the inner layers too? Let us say ... I use Hibernate to persist my objects... since I would have to use xml mapping files between classes and database tables... I can not obfuscate my business/persistent objects as well in a straight forward fashion! May be the obfuscation tool need to look for string references as wellin the same way as an advanced refactoring IDE would do... or something like that to make our life simple! :-) ~raghu On 12/9/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have used KlassMaster on distributions that contain Struts classes before, and I took your approach as I recall. I didn't obfuscate Action classes, but there was nothing important in them anyway. Also, KlassMaster has a great scripting language for getting around the problems you mention, and it knows how to edit web.xml, etc. In my opinion, it is well worth the price ($400 for a single license last time I checked). Erik -Original Message- From: Raghu Kanchustambham [EMAIL PROTECTED] Sent: Dec 9, 2005 4:38 AM To: Struts Users Mailing List user@struts.apache.org Subject: Re: [OT] obsfucating struts web application Laurie.. are you sure this will work? Let us say i have a mapping that maps to a TelephoneAction in my strus-config.xml... the class name will get 'garbled' after obfuscation. When a hit is made, the struts runtime will look up the TelephoneAction class to forward the request and notices there is no class with that name anymore! Whether bytecode or sourcecode obfuscation, this problem will still persist! One solution: Use the option *not* to obfuscate classnames of action classes. But are we done? Not yet... what if we use dispatch action class? By similar logic, you should leave even your method names unobfuscated! So that isnt too good... One of my friends suggested one ways to obfuscate the action class names and methods.As a part of obfuscation process generate a file containing mappings from old names to new names. Then based on this generated file, you can write a script to work on config.xml to find and replace the unobfuscated names with those from the mappings file generated. Some amount of work, but I guess it should work. The other approach is not to obfuscate action class names and method names in them. Just do flow obfuscation on these action classes. Action classes by design would not have too much business code in them .. as they would be delegated to some business classes. Even if complex code (in terms of number of lines) does exist in them, flow obfuscation will make it difficult to read them. If they are fewer number of lines, then it may be easy to break flow obfuscation, but then in most cases the code would be so simple that it is OK that the hacker knows it ! ;-) Since rest of the classes (other than action classes) are obfuscated with out any constraints, you should be safe... at most your action classes would be broken into. May be .. you can treat your action classes like the DMZ (demilitarized zone). Dont know if some tools support all what has been written so far. If they do someone please let us know! :-) Regards, Raghu On 11/20/05, Laurie Harper [EMAIL PROTECTED] wrote: su mo wrote: Hi, I have STRUTS 1.2.7 based web application which I want to protect the decompilation of class files. I would like to obsfucate the code using JShrink or other obsfucating tools. I am wondering if anyone done this before to make the Struts 1.2.7based web application work with obsfucated class files. I want to mention that I am using Dispatch action with parameters attribute, so my method names and class names are clear text on the struts-config.xml A byte-code obfuscator should have no effect on the way a class runs. Unless you obfuscate at the source code level before compiling (which would cause all sorts of problems) you shouldn't need to worry about it. L
Re: [OT] obsfucating struts web application
Well, yes, but KlassMaster (sounds like ProGuard has this too) allows you to go in and manually rename stuff that can't be renamed automatically. So, the more XML-Java bindings you have, the more work it's going to be, but the people who develop the obfuscators know this, so they (we hope) give you tools to get around it. Probably won't be long before they all have plugins for all the various frameworks people love to use, and you won't have to do anything manually. But often, I find that the class that is configured dynamically (such as a Struts Action class) is merely a facade or an adapter, and so you can live without obfuscating it unless you really need flow control obfuscation. I haven't used Hibernate, so I'm not sure how painful that would be . . . Erik -Original Message- From: Raghu Kanchustambham [EMAIL PROTECTED] Sent: Dec 11, 2005 3:22 PM To: Struts Users Mailing List user@struts.apache.org, [EMAIL PROTECTED] Subject: Re: [OT] obsfucating struts web application Hey Erik... Just curious.. would you not have these problems at the inner layers too? Let us say ... I use Hibernate to persist my objects... since I would have to use xml mapping files between classes and database tables... I can not obfuscate my business/persistent objects as well in a straight forward fashion! May be the obfuscation tool need to look for string references as wellin the same way as an advanced refactoring IDE would do... or something like that to make our life simple! :-) ~raghu - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] obsfucating struts web application
this is straight from the docs available at
http://jakarta.apache.org/commons/logging/apidocs/org/apache/commons/logging/Log.html
/*only enable when debug is enabled*/
if (log.isDebugEnabled()) {
log.debug(whatever);
}
Martin-
- Original Message -
From: su mo [EMAIL PROTECTED]
To: Struts Users Mailing List user@struts.apache.org
Sent: Monday, December 12, 2005 6:33 AM
Subject: Re: [OT] obsfucating struts web application
Hi -
I tried this approach after my initial question
My app uses dispatch action classes with parameter configured to method
names.
I have used ProGuard and configured in a such a way that public methods of
Action classes
are left untouched. (no name change)
My each public Action method has very little info or obvious info from
the browser form data
handling. I delegated control flow and business logic to private methods.
So, I did not need to mess around with renaming struts config entries though
it's possible with proguard
as it generates some kind of mapping in order to view the stacktrace of an
exception
My next task is how to hide log.debug(methodName) :) Any ideas?
-Regards
Sumo
On 12/12/05, Raghu Kanchustambham [EMAIL PROTECTED] wrote:
Hey Erik...
Just curious.. would you not have these problems at the inner layers
too?
Let us say ... I use Hibernate to persist my objects... since I would have
to use xml mapping files between classes and database tables... I can
not obfuscate my business/persistent objects as well in a straight forward
fashion!
May be the obfuscation tool need to look for string references as
wellin
the same way as an advanced refactoring IDE would do... or something like
that to make our life simple! :-)
~raghu
On 12/9/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
I have used KlassMaster on distributions that contain Struts classes
before, and I took your approach as I recall. I didn't obfuscate Action
classes, but there was nothing important in them anyway. Also,
KlassMaster
has a great scripting language for getting around the problems you
mention,
and it knows how to edit web.xml, etc. In my opinion, it is well worth
the
price ($400 for a single license last time I checked).
Erik
-Original Message-
From: Raghu Kanchustambham [EMAIL PROTECTED]
Sent: Dec 9, 2005 4:38 AM
To: Struts Users Mailing List user@struts.apache.org
Subject: Re: [OT] obsfucating struts web application
Laurie.. are you sure this will work?
Let us say i have a mapping that maps to a TelephoneAction in my
strus-config.xml... the class name will get 'garbled' after obfuscation.
When a hit is made, the struts runtime will look up the TelephoneAction
class to forward the request and notices there is no class with that
name
anymore! Whether bytecode or sourcecode obfuscation, this problem will
still
persist!
One solution: Use the option *not* to obfuscate classnames of action
classes.
But are we done? Not yet... what if we use dispatch action class? By
similar
logic, you should leave even your method names unobfuscated! So that
isnt
too good...
One of my friends suggested one ways to obfuscate the action class names
and
methods.As a part of obfuscation process generate a file containing
mappings
from old names to new names. Then based on this generated file, you can
write a script to work on config.xml to find and replace the
unobfuscated
names with those from the mappings file generated. Some amount of work,
but
I guess it should work.
The other approach is not to obfuscate action class names and method
names
in them. Just do flow obfuscation on these action classes. Action
classes
by
design would not have too much business code in them .. as they would
be
delegated to some business classes. Even if complex code (in terms of
number of lines) does exist in them, flow obfuscation will make it
difficult
to read them. If they are fewer number of lines, then it may be easy to
break flow obfuscation, but then in most cases the code would be so
simple
that it is OK that the hacker knows it ! ;-) Since rest of the classes
(other than action classes) are obfuscated with out any constraints, you
should be safe... at most your action classes would be broken into.
May
be
.. you can treat your action classes like the DMZ (demilitarized zone).
Dont know if some tools support all what has been written so far. If
they
do
someone please let us know! :-)
Regards,
Raghu
On 11/20/05, Laurie Harper [EMAIL PROTECTED] wrote:
su mo wrote:
Hi,
I have STRUTS 1.2.7 based web application which I want to protect
the
decompilation of class files. I would like to obsfucate the code
using
JShrink or other obsfucating tools.
I am wondering if anyone done this before to make the Struts
1.2.7based
web
application work with obsfucated class files.
I want to mention that I am using Dispatch action with parameters
attribute,
so my method names and class names are clear text
Re: [OT] obsfucating struts web application
Hmm, perhaps I misunderstood. I thought what he was saying was, he wants to
obfuscate the method name whatever, so the log.debug argument has to be
changed as well . . .
However, if the value of log.isDebugEnabled can be discovered at compile time
(not sure how commons logging works), perhaps conditional compilation (if it
exists) would leave this statement out of your distribution class file?
Erik
-Original Message-
From: Martin Gainty [EMAIL PROTECTED]
Sent: Dec 12, 2005 9:19 AM
To: Struts Users Mailing List user@struts.apache.org
Subject: Re: [OT] obsfucating struts web application
this is straight from the docs available at
http://jakarta.apache.org/commons/logging/apidocs/org/apache/commons/logging/Log.html
/*only enable when debug is enabled*/
if (log.isDebugEnabled()) {
log.debug(whatever);
}
Martin-
- Original Message -
From: su mo [EMAIL PROTECTED]
To: Struts Users Mailing List user@struts.apache.org
Sent: Monday, December 12, 2005 6:33 AM
Subject: Re: [OT] obsfucating struts web application
Hi -
I tried this approach after my initial question
My app uses dispatch action classes with parameter configured to method
names.
I have used ProGuard and configured in a such a way that public methods of
Action classes
are left untouched. (no name change)
My each public Action method has very little info or obvious info from
the browser form data
handling. I delegated control flow and business logic to private methods.
So, I did not need to mess around with renaming struts config entries though
it's possible with proguard
as it generates some kind of mapping in order to view the stacktrace of an
exception
My next task is how to hide log.debug(methodName) :) Any ideas?
-Regards
Sumo
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] obsfucating struts web application
If someone decompile the obsfucated classes which have log.debug, they can
easily put the original names
with obsfucated method names.
and if they see the log statements in sources, they can set up log4j
properties with specific
package enabled to get the control flow etc..
I think I was not clear earlier.
Let me rephrase. - I want log.debug() for me but not for my binary
distributions.
I can globally replace log.debug to //log.debug in eclipse before packaging.
But
was looking for other ways to do it
Sorry if the context is too deviating from Struts mailing list
Thanks everyone
On 12/12/05, Martin Gainty [EMAIL PROTECTED] wrote:
this is straight from the docs available at
http://jakarta.apache.org/commons/logging/apidocs/org/apache/commons/logging/Log.html
/*only enable when debug is enabled*/
if (log.isDebugEnabled()) {
log.debug(whatever);
}
Martin-
- Original Message -
From: su mo [EMAIL PROTECTED]
To: Struts Users Mailing List user@struts.apache.org
Sent: Monday, December 12, 2005 6:33 AM
Subject: Re: [OT] obsfucating struts web application
Hi -
I tried this approach after my initial question
My app uses dispatch action classes with parameter configured to method
names.
I have used ProGuard and configured in a such a way that public methods of
Action classes
are left untouched. (no name change)
My each public Action method has very little info or obvious info from
the browser form data
handling. I delegated control flow and business logic to private methods.
So, I did not need to mess around with renaming struts config entries
though
it's possible with proguard
as it generates some kind of mapping in order to view the stacktrace of an
exception
My next task is how to hide log.debug(methodName) :) Any ideas?
-Regards
Sumo
On 12/12/05, Raghu Kanchustambham [EMAIL PROTECTED] wrote:
Hey Erik...
Just curious.. would you not have these problems at the inner layers
too?
Let us say ... I use Hibernate to persist my objects... since I would
have
to use xml mapping files between classes and database tables... I can
not obfuscate my business/persistent objects as well in a straight
forward
fashion!
May be the obfuscation tool need to look for string references as
wellin
the same way as an advanced refactoring IDE would do... or something
like
that to make our life simple! :-)
~raghu
On 12/9/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
I have used KlassMaster on distributions that contain Struts classes
before, and I took your approach as I recall. I didn't obfuscate
Action
classes, but there was nothing important in them anyway. Also,
KlassMaster
has a great scripting language for getting around the problems you
mention,
and it knows how to edit web.xml, etc. In my opinion, it is well worth
the
price ($400 for a single license last time I checked).
Erik
-Original Message-
From: Raghu Kanchustambham [EMAIL PROTECTED]
Sent: Dec 9, 2005 4:38 AM
To: Struts Users Mailing List user@struts.apache.org
Subject: Re: [OT] obsfucating struts web application
Laurie.. are you sure this will work?
Let us say i have a mapping that maps to a TelephoneAction in my
strus-config.xml... the class name will get 'garbled' after
obfuscation.
When a hit is made, the struts runtime will look up the
TelephoneAction
class to forward the request and notices there is no class with that
name
anymore! Whether bytecode or sourcecode obfuscation, this problem will
still
persist!
One solution: Use the option *not* to obfuscate classnames of action
classes.
But are we done? Not yet... what if we use dispatch action class? By
similar
logic, you should leave even your method names unobfuscated! So that
isnt
too good...
One of my friends suggested one ways to obfuscate the action class
names
and
methods.As a part of obfuscation process generate a file containing
mappings
from old names to new names. Then based on this generated file, you
can
write a script to work on config.xml to find and replace the
unobfuscated
names with those from the mappings file generated. Some amount of
work,
but
I guess it should work.
The other approach is not to obfuscate action class names and method
names
in them. Just do flow obfuscation on these action classes. Action
classes
by
design would not have too much business code in them .. as they
would
be
delegated to some business classes. Even if complex code (in terms
of
number of lines) does exist in them, flow obfuscation will make it
difficult
to read them. If they are fewer number of lines, then it may be easy
to
break flow obfuscation, but then in most cases the code would be so
simple
that it is OK that the hacker knows it ! ;-) Since rest of the classes
(other than action classes) are obfuscated
Re: [OT] obsfucating struts web application
you need to setup at least 2 environments
One for debug/development
One for release
When in debug/development you are in DEBUG mode which means you will generate
and be able to see the logs
When you are in release DEBUG is not enabled which means you will not be logging
code which contains log/debug statements should not be put into
production/release
For more information look at the debugEnabled feature from Log4j available at
http://logging.apache.org/log4j/docs/api-unstable/org/apache/log4j/helpers/LogLog.html
Martin-
- Original Message -
From: su mo
To: Struts Users Mailing List ; Martin Gainty
Sent: Monday, December 12, 2005 9:40 AM
Subject: Re: [OT] obsfucating struts web application
If someone decompile the obsfucated classes which have log.debug, they can
easily put the original names
with obsfucated method names.
and if they see the log statements in sources, they can set up log4j
properties with specific
package enabled to get the control flow etc..
I think I was not clear earlier.
Let me rephrase. - I want log.debug() for me but not for my binary
distributions.
I can globally replace log.debug to //log.debug in eclipse before packaging.
But
was looking for other ways to do it
Sorry if the context is too deviating from Struts mailing list
Thanks everyone
On 12/12/05, Martin Gainty [EMAIL PROTECTED] wrote:
this is straight from the docs available at
http://jakarta.apache.org/commons/logging/apidocs/org/apache/commons/logging/Log.html
/*only enable when debug is enabled*/
if (log.isDebugEnabled()) {
log.debug(whatever);
}
Martin-
- Original Message -
From: su mo [EMAIL PROTECTED]
To: Struts Users Mailing List user@struts.apache.org
Sent: Monday, December 12, 2005 6:33 AM
Subject: Re: [OT] obsfucating struts web application
Hi -
I tried this approach after my initial question
My app uses dispatch action classes with parameter configured to method
names.
I have used ProGuard and configured in a such a way that public methods of
Action classes
are left untouched. (no name change)
My each public Action method has very little info or obvious info from
the browser form data
handling. I delegated control flow and business logic to private methods.
So, I did not need to mess around with renaming struts config entries though
it's possible with proguard
as it generates some kind of mapping in order to view the stacktrace of an
exception
My next task is how to hide log.debug(methodName) :) Any ideas?
-Regards
Sumo
On 12/12/05, Raghu Kanchustambham [EMAIL PROTECTED] wrote:
Hey Erik...
Just curious.. would you not have these problems at the inner layers
too?
Let us say ... I use Hibernate to persist my objects... since I would have
to use xml mapping files between classes and database tables... I can
not obfuscate my business/persistent objects as well in a straight forward
fashion!
May be the obfuscation tool need to look for string references as
wellin
the same way as an advanced refactoring IDE would do... or something like
that to make our life simple! :-)
~raghu
On 12/9/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
I have used KlassMaster on distributions that contain Struts classes
before, and I took your approach as I recall. I didn't obfuscate Action
classes, but there was nothing important in them anyway. Also,
KlassMaster
has a great scripting language for getting around the problems you
mention,
and it knows how to edit web.xml, etc. In my opinion, it is well worth
the
price ($400 for a single license last time I checked).
Erik
-Original Message-
From: Raghu Kanchustambham [EMAIL PROTECTED]
Sent: Dec 9, 2005 4:38 AM
To: Struts Users Mailing List user@struts.apache.org
Subject: Re: [OT] obsfucating struts web application
Laurie.. are you sure this will work?
Let us say i have a mapping that maps to a TelephoneAction in my
strus-config.xml... the class name will get 'garbled' after obfuscation.
When a hit is made, the struts runtime will look up the TelephoneAction
class to forward the request and notices there is no class with that
name
anymore! Whether bytecode or sourcecode obfuscation, this problem will
still
persist!
One solution: Use the option *not* to obfuscate classnames of action
classes.
But are we done? Not yet... what if we use dispatch action class? By
similar
logic, you should leave even your method names unobfuscated! So that
isnt
too good...
One of my friends suggested one ways to obfuscate the action class names
Re: [OT] obsfucating struts web application
Hey Erik... Just curious.. would you not have these problems at the inner layers too? Let us say ... I use Hibernate to persist my objects... since I would have to use xml mapping files between classes and database tables... I can not obfuscate my business/persistent objects as well in a straight forward fashion! May be the obfuscation tool need to look for string references as wellin the same way as an advanced refactoring IDE would do... or something like that to make our life simple! :-) ~raghu On 12/9/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have used KlassMaster on distributions that contain Struts classes before, and I took your approach as I recall. I didn't obfuscate Action classes, but there was nothing important in them anyway. Also, KlassMaster has a great scripting language for getting around the problems you mention, and it knows how to edit web.xml, etc. In my opinion, it is well worth the price ($400 for a single license last time I checked). Erik -Original Message- From: Raghu Kanchustambham [EMAIL PROTECTED] Sent: Dec 9, 2005 4:38 AM To: Struts Users Mailing List user@struts.apache.org Subject: Re: [OT] obsfucating struts web application Laurie.. are you sure this will work? Let us say i have a mapping that maps to a TelephoneAction in my strus-config.xml... the class name will get 'garbled' after obfuscation. When a hit is made, the struts runtime will look up the TelephoneAction class to forward the request and notices there is no class with that name anymore! Whether bytecode or sourcecode obfuscation, this problem will still persist! One solution: Use the option *not* to obfuscate classnames of action classes. But are we done? Not yet... what if we use dispatch action class? By similar logic, you should leave even your method names unobfuscated! So that isnt too good... One of my friends suggested one ways to obfuscate the action class names and methods.As a part of obfuscation process generate a file containing mappings from old names to new names. Then based on this generated file, you can write a script to work on config.xml to find and replace the unobfuscated names with those from the mappings file generated. Some amount of work, but I guess it should work. The other approach is not to obfuscate action class names and method names in them. Just do flow obfuscation on these action classes. Action classes by design would not have too much business code in them .. as they would be delegated to some business classes. Even if complex code (in terms of number of lines) does exist in them, flow obfuscation will make it difficult to read them. If they are fewer number of lines, then it may be easy to break flow obfuscation, but then in most cases the code would be so simple that it is OK that the hacker knows it ! ;-) Since rest of the classes (other than action classes) are obfuscated with out any constraints, you should be safe... at most your action classes would be broken into. May be .. you can treat your action classes like the DMZ (demilitarized zone). Dont know if some tools support all what has been written so far. If they do someone please let us know! :-) Regards, Raghu On 11/20/05, Laurie Harper [EMAIL PROTECTED] wrote: su mo wrote: Hi, I have STRUTS 1.2.7 based web application which I want to protect the decompilation of class files. I would like to obsfucate the code using JShrink or other obsfucating tools. I am wondering if anyone done this before to make the Struts 1.2.7based web application work with obsfucated class files. I want to mention that I am using Dispatch action with parameters attribute, so my method names and class names are clear text on the struts-config.xml A byte-code obfuscator should have no effect on the way a class runs. Unless you obfuscate at the source code level before compiling (which would cause all sorts of problems) you shouldn't need to worry about it. L. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] obsfucating struts web application
Laurie.. are you sure this will work? Let us say i have a mapping that maps to a TelephoneAction in my strus-config.xml... the class name will get 'garbled' after obfuscation. When a hit is made, the struts runtime will look up the TelephoneAction class to forward the request and notices there is no class with that name anymore! Whether bytecode or sourcecode obfuscation, this problem will still persist! One solution: Use the option *not* to obfuscate classnames of action classes. But are we done? Not yet... what if we use dispatch action class? By similar logic, you should leave even your method names unobfuscated! So that isnt too good... One of my friends suggested one ways to obfuscate the action class names and methods.As a part of obfuscation process generate a file containing mappings from old names to new names. Then based on this generated file, you can write a script to work on config.xml to find and replace the unobfuscated names with those from the mappings file generated. Some amount of work, but I guess it should work. The other approach is not to obfuscate action class names and method names in them. Just do flow obfuscation on these action classes. Action classes by design would not have too much business code in them .. as they would be delegated to some business classes. Even if complex code (in terms of number of lines) does exist in them, flow obfuscation will make it difficult to read them. If they are fewer number of lines, then it may be easy to break flow obfuscation, but then in most cases the code would be so simple that it is OK that the hacker knows it ! ;-) Since rest of the classes (other than action classes) are obfuscated with out any constraints, you should be safe... at most your action classes would be broken into. May be .. you can treat your action classes like the DMZ (demilitarized zone). Dont know if some tools support all what has been written so far. If they do someone please let us know! :-) Regards, Raghu On 11/20/05, Laurie Harper [EMAIL PROTECTED] wrote: su mo wrote: Hi, I have STRUTS 1.2.7 based web application which I want to protect the decompilation of class files. I would like to obsfucate the code using JShrink or other obsfucating tools. I am wondering if anyone done this before to make the Struts 1.2.7 based web application work with obsfucated class files. I want to mention that I am using Dispatch action with parameters attribute, so my method names and class names are clear text on the struts-config.xml A byte-code obfuscator should have no effect on the way a class runs. Unless you obfuscate at the source code level before compiling (which would cause all sorts of problems) you shouldn't need to worry about it. L. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] obsfucating struts web application
I have used KlassMaster on distributions that contain Struts classes before, and I took your approach as I recall. I didn't obfuscate Action classes, but there was nothing important in them anyway. Also, KlassMaster has a great scripting language for getting around the problems you mention, and it knows how to edit web.xml, etc. In my opinion, it is well worth the price ($400 for a single license last time I checked). Erik -Original Message- From: Raghu Kanchustambham [EMAIL PROTECTED] Sent: Dec 9, 2005 4:38 AM To: Struts Users Mailing List user@struts.apache.org Subject: Re: [OT] obsfucating struts web application Laurie.. are you sure this will work? Let us say i have a mapping that maps to a TelephoneAction in my strus-config.xml... the class name will get 'garbled' after obfuscation. When a hit is made, the struts runtime will look up the TelephoneAction class to forward the request and notices there is no class with that name anymore! Whether bytecode or sourcecode obfuscation, this problem will still persist! One solution: Use the option *not* to obfuscate classnames of action classes. But are we done? Not yet... what if we use dispatch action class? By similar logic, you should leave even your method names unobfuscated! So that isnt too good... One of my friends suggested one ways to obfuscate the action class names and methods.As a part of obfuscation process generate a file containing mappings from old names to new names. Then based on this generated file, you can write a script to work on config.xml to find and replace the unobfuscated names with those from the mappings file generated. Some amount of work, but I guess it should work. The other approach is not to obfuscate action class names and method names in them. Just do flow obfuscation on these action classes. Action classes by design would not have too much business code in them .. as they would be delegated to some business classes. Even if complex code (in terms of number of lines) does exist in them, flow obfuscation will make it difficult to read them. If they are fewer number of lines, then it may be easy to break flow obfuscation, but then in most cases the code would be so simple that it is OK that the hacker knows it ! ;-) Since rest of the classes (other than action classes) are obfuscated with out any constraints, you should be safe... at most your action classes would be broken into. May be .. you can treat your action classes like the DMZ (demilitarized zone). Dont know if some tools support all what has been written so far. If they do someone please let us know! :-) Regards, Raghu On 11/20/05, Laurie Harper [EMAIL PROTECTED] wrote: su mo wrote: Hi, I have STRUTS 1.2.7 based web application which I want to protect the decompilation of class files. I would like to obsfucate the code using JShrink or other obsfucating tools. I am wondering if anyone done this before to make the Struts 1.2.7 based web application work with obsfucated class files. I want to mention that I am using Dispatch action with parameters attribute, so my method names and class names are clear text on the struts-config.xml A byte-code obfuscator should have no effect on the way a class runs. Unless you obfuscate at the source code level before compiling (which would cause all sorts of problems) you shouldn't need to worry about it. L. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] obsfucating struts web application
I haven't used Java obfuscation tools so I can't say for sure, but I would expect them to somehow 'fix' the internal symbol tables in the obfuscated class files to account for all that. After all, if they didn't then anything that used reflection or introspection would be completely broken once you obfuscated. Unless your obfuscation tool specifically documents that it will not work with such code, you should be fine. As I said, though, I haven't used one so YMMV. L. Raghu Kanchustambham wrote: Laurie.. are you sure this will work? Let us say i have a mapping that maps to a TelephoneAction in my strus-config.xml... the class name will get 'garbled' after obfuscation. When a hit is made, the struts runtime will look up the TelephoneAction class to forward the request and notices there is no class with that name anymore! Whether bytecode or sourcecode obfuscation, this problem will still persist! One solution: Use the option *not* to obfuscate classnames of action classes. But are we done? Not yet... what if we use dispatch action class? By similar logic, you should leave even your method names unobfuscated! So that isnt too good... One of my friends suggested one ways to obfuscate the action class names and methods.As a part of obfuscation process generate a file containing mappings from old names to new names. Then based on this generated file, you can write a script to work on config.xml to find and replace the unobfuscated names with those from the mappings file generated. Some amount of work, but I guess it should work. The other approach is not to obfuscate action class names and method names in them. Just do flow obfuscation on these action classes. Action classes by design would not have too much business code in them .. as they would be delegated to some business classes. Even if complex code (in terms of number of lines) does exist in them, flow obfuscation will make it difficult to read them. If they are fewer number of lines, then it may be easy to break flow obfuscation, but then in most cases the code would be so simple that it is OK that the hacker knows it ! ;-) Since rest of the classes (other than action classes) are obfuscated with out any constraints, you should be safe... at most your action classes would be broken into. May be .. you can treat your action classes like the DMZ (demilitarized zone). Dont know if some tools support all what has been written so far. If they do someone please let us know! :-) Regards, Raghu On 11/20/05, Laurie Harper [EMAIL PROTECTED] wrote: su mo wrote: Hi, I have STRUTS 1.2.7 based web application which I want to protect the decompilation of class files. I would like to obsfucate the code using JShrink or other obsfucating tools. I am wondering if anyone done this before to make the Struts 1.2.7 based web application work with obsfucated class files. I want to mention that I am using Dispatch action with parameters attribute, so my method names and class names are clear text on the struts-config.xml A byte-code obfuscator should have no effect on the way a class runs. Unless you obfuscate at the source code level before compiling (which would cause all sorts of problems) you shouldn't need to worry about it. L. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] obsfucating struts web application
su mo wrote: Hi, I have STRUTS 1.2.7 based web application which I want to protect the decompilation of class files. I would like to obsfucate the code using JShrink or other obsfucating tools. I am wondering if anyone done this before to make the Struts 1.2.7 based web application work with obsfucated class files. I want to mention that I am using Dispatch action with parameters attribute, so my method names and class names are clear text on the struts-config.xml A byte-code obfuscator should have no effect on the way a class runs. Unless you obfuscate at the source code level before compiling (which would cause all sorts of problems) you shouldn't need to worry about it. L. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
obsfucating struts web application
Hi, I have STRUTS 1.2.7 based web application which I want to protect the decompilation of class files. I would like to obsfucate the code using JShrink or other obsfucating tools. I am wondering if anyone done this before to make the Struts 1.2.7 based web application work with obsfucated class files. I want to mention that I am using Dispatch action with parameters attribute, so my method names and class names are clear text on the struts-config.xml Regards Sumo -
