security about .class information

**dr_pompeii** · Oct 25th, 2007, 12:53 PM

Hello guys

i have a huge doubt, maybe some friendly member can help

my friend gave its .war application with all necessary files (.css,.jsp,.class,etc)
to its company work, a contract

the company had a situation in which some bad user stole the .war undeployed (the folder application of course) and he was caught, now i think he is in jail

the company are afarid about the security,
in the sentide of the source code, the application of course no has the .java files, but yes the .class

there are rumors about some programas that from the .class can generate the .java ,something like that

the question is ,
is there some tool that can avoid this
in the sentide
since when i create my .class other person cant generate the .java form them???

thanks for advanced

**Marten Deinum** · Oct 25th, 2007, 02:16 PM

there are rumors about some programas that from the .class can generate the .java ,something like that

That isn't a rumor those tools are widely available, the most well known one is jad.

is there some tool that can avoid this

No. There are tools which can make it difficult by obfuscating your code (i.e. renaming your classes and metods) but thats it.

**dr_pompeii** · Oct 25th, 2007, 02:49 PM

hi marten

thanks for the reply

the most well known one is jad.

ok

There are tools which can make it difficult by obfuscating your code (i.e. renaming your classes and metods) but thats it.

some suggestion about your experience with some tool of this?

regards

**Marten Deinum** · Oct 26th, 2007, 02:14 AM

Originally Posted by dr_pompeii

some suggestion about your experience with some tool of this?

Haven't worked with those tools. However google should be helpful. Use java, obfuscation/obfuscating as keywords and you should get some hits.

**dr_pompeii** · Oct 26th, 2007, 03:44 PM

thanks Marten

tell me, how do you protect your code?

regards

funny
http://forum.java.sun.com/thread.jsp...712642&start=0

**karldmoore** · Oct 27th, 2007, 04:42 AM

We currently use yGuard. You can still JAD the files though. If you are working with XML configuration you are also going to have to preserve class and method names.

**dr_pompeii** · Oct 27th, 2007, 06:51 AM

Hi Karl

If you are working with XML configuration you are also going to have to preserve class and method names.

yes, thats the weak part, to avoid a pain with spring and log part report

i need your help

java -jar yguard.jar
Usage java -jar yguard.jar logfile.xml[.gz] [-pipe] [name]

karl, pls, can you share your xml configuration?

i see in the page documentation a lot of options and is confuse

thanks in advanced

**karldmoore** · Oct 27th, 2007, 11:48 AM

We do something like this.

Code:

	<!-- yQuard obfuscation task definition -->
	<taskdef name="obfuscate" classname="com.yworks.yguard.ObfuscatorTask" classpath="${yguard.home}/lib/yguard.jar"/>

		<echo>Obfuscating the code</echo>
		<obfuscate logfile="${build.dir}/obfuscation-log.xml" conservemanifest="true" replaceclassnamestrings="true">
			<property name="language-conformity" value="compatible"/>
			<expose>
				<class classes="protected" methods="protected" fields="protected"/>
			</expose>
			<inoutpair in="${build.dist}/${ant.project.name}.jar" out="${build.extension}/private/${ant.project.name}.jar"/>
			<externalclasses refid="build.classpath"/>
		</obfuscate>

**karldmoore** · Oct 27th, 2007, 11:49 AM

Basically you are doing to have to preserve public class names and also method names, otherwise you'll have problems.

Thread: security about .class information

Thread Tools

Display

security about .class information

Posting Permissions