0

I want to give my client limited access to a server dedicated to him where a Java app is running. The client will write some plugins and run the Java app (it's a console app). The app has code which I would like to protect from decompiling and configuration that is potentially accessible from within the plugin as it all will run in the same JVM. I'd like to be sure that the client uses only the API of my app and some standard Java classes but can't do funky class loading and reverse-engineering of my app.

Is there a way to protect my code and config from decompiling / downloading? I know there are numerous topics devoted to obfuscation and encrypting of jar files and general consensus is that protection is not possible but I don't think it relates to my case as I control the execution environment, can set up permissions etc. It's a Ubuntu 12.04 box.

I'm not sure if I can give a client shell access with limited read/execution rights and set it all up securely. Any pointers? Thanks.

derenik
  • 163
  • 5

1 Answers1

0

If it is running in the same JVM, this is impossible to lock down.

Reflection can get classes.

Class<?> class_ = Class.forName("foo.bar");

methods,

class_.getMethod("bax");

and pretty much anything else.

It can create new objects, and call methods on them without regard to visibility (public, private, etc.)

Paul Draper
  • 78,542
  • 46
  • 206
  • 285
  • After more searching on the topic I came across sandboxes in JVM and SecurityManager class. Looks like it allows to lock down calls to specific methods so maybe I can lock down Class.forName and the whole reflection package. Do you think it won't work? Thanks. – derenik Nov 14 '13 at 06:25
  • @derenik, I do not know. – Paul Draper Nov 14 '13 at 07:35
  • You can put packages hierarchies under "package.access", which would make the `getMethod` call fail (the `Class.forName` as well, but that isn't really important). Because of widespread hacks, it's decidedly tricky to set up in Java. Best IMO to separate the untrusted code into a different process and lock down using whatever the usual OS techniques are. – Tom Hawtin - tackline Nov 14 '13 at 17:50