Samara, Fadi N Mr ACSIM/ASPEX wrote:
Classification: UNCLASSIFIED
Caveats: NONE
-----Original Message-----
From: Tom Burke [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 17, 2006 10:19 AM
To: Tomcat Users List
Subject: Encrypting/Protecting JSP/Struts source code
My company is has developed and is now marketing/selling a line-of-business
TSP/Tomcat application which we sell to corporate customers to runs on their
servers in their intranets.
It's suddenly become clear to my company that when we deploy a WAR on a
customers' site, the source code is completely visible to anyone who has
access to the server's drives, and this is belatedly causing some concern.
Obviously there are clauses in our license that formally protect our
intellectual property and at a corporate level we are relaxed, but my boss
is quite concerned about the delinquent administrator who simply downloads &
walks away with the code.
Is there any way in which the deployed WAR file, and all the files that
explode out of it, can be hidden/encrypted/protected on the server, while
still allowing them to be executed by Tomcat? The app is almost completely
JSP/Struts, there is hardly any HTML at all (if any in fact).
There is some nonsense here, so let us clear it out.
First of all, Java classes are compiled binary entities, no source
there. Sure, there are tools for reverse engineering, decompilers. You
can make life harder for them by using obfuscators, I believe Jakarta
has a good one.
Next, for JSPs, well, yes they are source, but in Struts applications,
they should have a limited role. Even so, there are JSP precompilers,
Ant has a task for that. Couple it with an obfuscator and your source is
unreadable. The only thing that remains are the config files. You could
theoretically encrypt them, keeping the key inside your code, which will
get obfuscated, anyway.
Does that satisfy you?
Nix.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
