Good comments, but how would you encrypt the config files when Struts needs these to run out code (hence before I can decrypt). While I personally prefer Cocoon over struts these are pretty much 'Sister' projects so the same solution would help me also.
Discussion appreciated. Rob -----Original Message----- From: Nikola Milutinovic [mailto:[EMAIL PROTECTED] Sent: 17 January 2006 21:28 To: Tomcat Users List Subject: Re: Encrypting/Protecting JSP/Struts source code (UNCLASSIFIED) Samara, Fadi N Mr ACSIM/ASPEX wrote: >Classification: UNCLASSIFIED >Caveats: NONE >-----Original Message----- >From: Tom Burke [mailto:[EMAIL PROTECTED] >Sent: Tuesday, January 17, 2006 10:19 AM >To: Tomcat Users List >Subject: Encrypting/Protecting JSP/Struts source code > >My company is has developed and is now marketing/selling a line-of-business >TSP/Tomcat application which we sell to corporate customers to runs on their >servers in their intranets. > >It's suddenly become clear to my company that when we deploy a WAR on a >customers' site, the source code is completely visible to anyone who has >access to the server's drives, and this is belatedly causing some concern. >Obviously there are clauses in our license that formally protect our >intellectual property and at a corporate level we are relaxed, but my boss >is quite concerned about the delinquent administrator who simply downloads & >walks away with the code. > >Is there any way in which the deployed WAR file, and all the files that >explode out of it, can be hidden/encrypted/protected on the server, while >still allowing them to be executed by Tomcat? The app is almost completely >JSP/Struts, there is hardly any HTML at all (if any in fact). > > There is some nonsense here, so let us clear it out. First of all, Java classes are compiled binary entities, no source there. Sure, there are tools for reverse engineering, decompilers. You can make life harder for them by using obfuscators, I believe Jakarta has a good one. Next, for JSPs, well, yes they are source, but in Struts applications, they should have a limited role. Even so, there are JSP precompilers, Ant has a task for that. Couple it with an obfuscator and your source is unreadable. The only thing that remains are the config files. You could theoretically encrypt them, keeping the key inside your code, which will get obfuscated, anyway. Does that satisfy you? Nix. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
