File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Applets and the fly likes How do I hide my applets? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » Applets
Bookmark "How do I hide my applets?" Watch "How do I hide my applets?" New topic
Author

How do I hide my applets?

Velika Srbija
Ranch Hand

Joined: Jan 15, 2002
Posts: 172
In order to access my applets from my jsp I had to store them outside of the WEB-INF directory. But, it is easy to get the listing of such directory and therefore copy all applet classes. Is there any way I could hide my applet classes?
Norm Radder
Ranch Hand

Joined: Aug 10, 2005
Posts: 685
Wrap them in the HideEmAll class. Nothing can be found once in there.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
Applets are run on the client, so that's where the classes must go. And once they're there, they can be stored locally and decompiled. You can make that harder by obfuscating the code, but you can't prevent it from happen. That's just a fact of life with applets.


Ping & DNS - updated with new look and Ping home screen widget
Velika Srbija
Ranch Hand

Joined: Jan 15, 2002
Posts: 172
Norm Radder:

What do you mean by "Wrap them in the HideEmAll class"? Give me some guidelines.

Ulf Dittmer:

As stated in the docs, this should work in order not to cache applets on the client's comp:
<jsp aram name="cache_option" value="No" />

I've checked it. It doesn't always work!
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
A caching option set by a web page may be honored by a web browser or Java plugin, or it may not be (and according to a quick Google search this option may no longer be used in current plugin versions), but that's irrelevant to the point in question: You can't prevent the applet code from getting into someone's malevolent hands, because that's where they need to be if that person can run it.

What Norm said was a joke; he should have used a to indicate that.
[ September 30, 2005: Message edited by: Ulf Dittmer ]
Velika Srbija
Ranch Hand

Joined: Jan 15, 2002
Posts: 172
Obfuscating might not be a good enough solutin, because my applet consist of 4 very simple classes with applet-servlet communicating.
Norm Radder
Ranch Hand

Joined: Aug 10, 2005
Posts: 685
I method of hiding applet code I've thought I'd like to try sometime is to use a ClassLoader in the applet. The class file would be read by the applet as a byte stream and loaded into the JVM ClassLoader loadClass() method to create a class. That moves the hack problem up one level.
The next level would be to encode the class file.
The next level would be to have a cgi that encodes the class on each request and passes the key and the class file back.
The next level would be to have the cgi return the html and applet with the decode key as a param and have a time limit between the request for the html and the request for the class file.
None can prevent a good programmer from reading and decompiling your code.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
Obfuscating might not be a good enough solutin, because my applet consist of 4 very simple classes with applet-servlet communicating.

If the classes are simple, what is the need to hide the code?

If you're communicating to a servlet anyway, then move all the methods you want to protect to the servlet, so that the applet consists solely of a GUI, which shouldn't be in need of protection. If it's the method of communication you want to protect, use authentication.

Using ClassLoaders, like Norm suggests, ups the ante to a point where an attacker would need to be rather determined to get at the code, but requires the applet to be signed, and thus the signature to be accepted by the users. That may or may not be a feasible route in your case.
Velika Srbija
Ranch Hand

Joined: Jan 15, 2002
Posts: 172
My classes are simply indeed, but there are some math formulaes that I don't want to share. In order to gain very fast calculations (results) I don't want those formulaes stored in the servet method. What shall I do?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
Since you have applet-to-servlet communication in place anyway, you can use that to retrieve the formulas a strings when you initialize the applet. Then you can use a library like JEP to evaluate the formulas. That is of course quite a bit slower than evaluating them directly, but it does offer another layer of protection, though, once again, it can be defeated.
Velika Srbija
Ranch Hand

Joined: Jan 15, 2002
Posts: 172
Thanks. That will be good enough.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How do I hide my applets?
 
Similar Threads
Applet jdbc
Deploying applets in a web application
Applet in tomcat
Applet in web application
the applet and the $CLASSPATH