Encrypting War files

2019-03-27 11:41发布

问题:

I would like to encrypt or obfuscate my WAR file so that reverse engineering will take a little more effort. Is there such a tool or maven plugin that will encrypt a WAR file and its contents?

Also, once the WAR is encrypted, how will the Web Application be deployed at that point? If the web server explodes the WAR, can each jar and resource still be encrypted, how will the startup behavior be modified to decrypt the nested jars and resources?

Thanks, Walter

回答1:

Cracking Java byte-code encryption - Why Java obfuscation schemes based on byte-code encryption won't work - Article from JavaWorld.

If your code is important enough to go to all this trouble it probably makes sense to host it on a private server... :\



回答2:

DashO from PreEmptive Solutions will also obfuscate WAR files.



回答3:

Zelix KlassMaster can be run from Ant. Looks like it handles WARs too.

Couldn't tell you about the deployment of the WAR but any obfuscator that causes an archive not to work after it's been obfuscated isn't worth much.



回答4:

i have same problem here. I tried it with Yguard 2.4, Proguard 4.7, Zelix 5.4.6, Allatori 4.0 , JavaGuard 1.0, Sandmark 3.40. All of those are not giving me glance that my obfuscated web application would not run. They can obfuscate bytecodes even they can obfuscate my application. That is all.

p.s : The application server(server container tomcat, apache, glassfish, weblogic , websphere etc) can't hide our code from hackers. in my experience all of them has temp folder which contains currently using items. In this folder we can see the code.

Finally i would say if we use Java then we make opensource. :P



回答5:

I had a solution to this problem. It goes like this:

Encrypt a war file. Like ZIP it and encrypt it, so it cannot be read without the password.

Set up a system, or only give the password to a hosting service. Once you and a client have worked out your terms, you give the password to the hosting service. They decrypt the war file and install it. They client only sees the website/api. The client never has access to your jar files.

Any comments?