Securing (against reverse engineering) a J2EE Application

A

africanperfection

Member
Joined
Oct 12, 2011
Messages
21
Reaction score
0
Location
Cape Town
Hi Guys,


Anyone had to secure/encrypt/obfuscate a Java enterprise application (.ejb, .war, .ear) application before? Is it even possible? :confused:

Thanks..
 
Even with obfuscated C++, its possible. With Java, its near impossible.

I dont suppose its a web app is it? Otherwise no luck.
 
Look, I know there is no way to ensure against reverse engineering, but I would have liked to add one level of security though. So it takes more than a regular idiot to just unzip the .war&.ejb files and decompile the .class files and use them. The problem is that its an enterprise web application with web services entry points. This in turn calls enterprise beans. So the obfuscation tools does not keep everything in tact.
 
Not much you can do as far as I know. Its one of the areas in which Java is limited.
 
I'm not a java programmer but the obfuscator we use for our c# programs have all kinds of settings to make sure that it works correctly with our programs.

In fact, doing a quick google it looks like Proguard can also be configured to do what you want it to do.
Annotations: http://stackoverflow.com/questions/7378693/proguard-and-annotations
XML: http://sourceforge.net/tracker/?func=detail&aid=3480679&group_id=54750&atid=474704

These examples may not be exactly what you were concerned about but to me it looks like Proguard can be configured to work as you want it to.
http://proguard.sourceforge.net/index.html#manual/index.html

If I'm wrong then sorry. :)
 
Solitude said:
I'm not a java programmer but the obfuscator we use for our c# programs have all kinds of settings to make sure that it works correctly with our programs.

In fact, doing a quick google it looks like Proguard can also be configured to do what you want it to do.
Annotations: http://stackoverflow.com/questions/7378693/proguard-and-annotations
XML: http://sourceforge.net/tracker/?func=detail&aid=3480679&group_id=54750&atid=474704

These examples may not be exactly what you were concerned about but to me it looks like Proguard can be configured to work as you want it to.
http://proguard.sourceforge.net/index.html#manual/index.html

If I'm wrong then sorry. :)
Click to expand...

Thanks Solitude, will check it out. What a mission :)
 
A friend of mine is using a combination of Dash o Pro and Zelix Klaasmaster
 
Looking around the Web there are plenty of tools to assist. One which came up quite frequently for me was smokescren http://www.leesw.com/smokescreen/

Another was allatori http://www.allatori.com/ This one provides regular updates and lists some large companies that are using it.

Could be worth a try. At the end of the day decompiling is what some people will always try to do. you just want to make it more difficult to do than someone else.
 
in reality, whatever you have written, 99% of the time is not really unique, and noone is going to steal it, not with any high chance.

you are also just adding more complexity for production builds and deployments.

rather security around the version control and server access.

are you distributing wars/ears to untrusted 3rd parties?
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X