File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JSP and the fly likes deploying a jsp based product Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "deploying a jsp based product" Watch "deploying a jsp based product" New topic
Author

deploying a jsp based product

jayram
Ranch Hand

Joined: Oct 30, 2000
Posts: 94
Hello
My company is coming up with a web based product which uses JSP's. Now in order to sell the product we need to find a strategy so that we can secure our source code. Obfuscation though now perfect works fine with Applications but what about JSP's. Any thoughts??
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12678
    
    5
I can't think of any way to secure the JSP code but if most of your functionality is in beans or taglibs it won't matter much.
Bill
jayram
Ranch Hand

Joined: Oct 30, 2000
Posts: 94
Bill,
Taglibs looks like a good alternative ...i cant trust beans as class files are very easy to decompile one more thing i am trying to do is obfuscate the compiled jsps ..dont know if it would work
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12678
    
    5
Class files may be easy to decompile, but exactly how do you expect somebody to get them?
Web servers are forbidden to serve anything in the WEB-INF directory of an application, so servlets are not like applets with respect to class file security.
Bill
jayram
Ranch Hand

Joined: Oct 30, 2000
Posts: 94
bill
the scenario is I write a code and deploy it on app servers of various companies. Some of them could be using it just for evaluation. I dont want to restrict these people from snooping into my code. The client is not end user but the company to which i am selling the product.
I understand that using copyrights and other user agreements i can tie him legally but its not necessary that all software companies will have muscle power to exercise this option.
Isnt there any way of making it difficult for someone to just reverse engineer and use my code??
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12678
    
    5
Obfuscation of class code would appear to be the only thing that can help you here. Decompiling Java is supposedly easier than (for example) C++ because of the extensive data that class files contain. However, no matter what the language, it can eventually be decoded.
Bean code would be easiest to decompile because the get/set methods use the variable name, so taglibs are indicated.
I suppose you could require that the test installation download some essential class from your master server, but if you make things too difficult for your customers - expect a reaction.
Bill
Adam Hardy
Ranch Hand

Joined: Oct 09, 2001
Posts: 565

Obfuscation

Hi, what is that?


I have seen things you people would not believe, attack ships on fire off the shoulder of Orion, c-beams sparkling in the dark near the Tennhauser Gate. All these moments will be lost in time, like tears in the rain.
shai koren
Ranch Hand

Joined: Nov 04, 2001
Posts: 48
Hi Joshi
You can always try to cut the actual functionality of your web application to the minimum of presentation and mediating to method calles to an obfuscated jared application. in that case all your client can see from the decompiled servlets is the names of the public methods in the obfuscated application. it's a bit tricky to try and obfuscate public methods names since the servlets need to call those but then it's down to keeping the actual logic in private methods which you can obfuscate, since the obfuscator will change their names where they are called in that file.A strict separation in this case should serve your need and also might help you to reuse this logic.
have a look at http://www.retrologic.com/
cheers
shai


Shai koren<br />SCJP2 <br />SCEA (well yea only part 1 so far)
jayram
Ranch Hand

Joined: Oct 30, 2000
Posts: 94
Thanks Bill and Shai
I figured out that using something like struts which moves all critical logic out jsp's and holds them into beans, and then obfuscating these beans would be a good solution.
Lets see if this works
Thanks for your help
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: deploying a jsp based product
 
Similar Threads
can i shift to webbased application to product based application?
Discussing Design Patterns -- Strategy Pattern
IIS and JSP's, Servlets
JSP code optimization
Adding Columns dynamically through UI