1

I have a application war bundled with class files which we deploy into tomcat. I will be deploying the application at client location server where different people will have access to it.

I want the code to be safe so that nobody can view the class files using class decompiler. I am not much interested in obfuscation as it will make logging difficult and this will involve changing non-java resource files(as class names,variable and methods are updated). I have searched other options like making class files inside the war encrypted and then write a custom class loader which will decrypt the classes at rum time and load the classes.

I am able to write a custom classloader which will read a jar file and load the classes http://kalanir.blogspot.in/2010/01/how-to-write-custom-class-loader-to.html

But I am not able to find how this will work with tomcat. Also do we have any tutorial to explain how we can encrypt a class file, a custom class loader which will decrypt this class, configure the custom class loader so that when my application runs in tomcat it should be able to load the required classes.

Improve this question
2
  • Although I cannot provide a very detailed explanation on this. But if you google on net regarding the same problem, there are many numerous ways of encrypting/decrypting the class files. Also, you will notice that everywhere it is also mentioned that no matter how you encrypt or decrypt your class files it is never 100% safe. Some encryption techniques exposed the raw data on decryption while some are able to expose certain part of code. My knowledge on this topic is limited hence I cannot give a very concrete reason. Commented Jun 12, 2013 at 12:55
  • @AngelsandDemons yes I agree that there is no full proof mechanism to prevent class files from decompiling, But we want to make this a little more difficult. Commented Jun 13, 2013 at 5:57

1 Answer 1

Reset to default
2

you can get help from http://cryptofreek.org/2010/06/04/encrypting-and-decrypting-files-with-java/ about encrypting and decrypting class file.

In the given example : http://kalanir.blogspot.in/2010/01/how-to-write-custom-class-loader-to.html To load your class in tomcat simply create a constructor with parent classloader as a parameter

public JarClassLoader(ClassLoader parent) {
super(parent);
}

and while initializing your JarClassLoader pass the tomcat's classloader as an argument.

 new JarClassLoader(<CurrentClass>.class.getClassLoader());
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thx for the link.where I need to initialize my JarClassLoader. also my application has some third party libs in WEB-INF/libs.Do I need to load these jars present in libs.Or tomcat will take care of loading the jar file?
the webapploader of tomcat will take care of the libs by itself. You can initialize your JarClassLoader whenever you want to load the class. The super(parent) will bind it to the tomcat's webapploader as a child..

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.