|
-
October 20th, 2006, 04:35 AM
#1
Distributing applets
Hi everyone. I was wondering how secure is to distribute applets through internet. What I mean is: suppose I upload an applet in a site. The users will have limited access to the applet (maybe through an asp or jsp page that checks password). After a specific period of time the user's account will be disabled. My question is: the applets will be run on the users pc. Is there any way the user will have kept the applets on his pc and then run them offline? Can I avoid sth like that. Also, another question: is it possible for someone to obtain the java code from an applet (a .class file)?
Best Regards,
Theodore
-
October 20th, 2006, 07:57 AM
#2
Re: Distributing applets
Hi Theodore,
Well, the .class files will have to be downloaded over the net, in order for the clients pc to run the applet. So they might have access to the .class files. And any .class file can de-compiled, so anyone with some VM knowledge might be able to gain a good idea of what is happening in your code.
Instead of giving access to people through a JSP or ASP page to your applet, why not have the applet do it's own access control, that way even if someone manages to run it on their pc, they still won't be able to gain full access to the applet.
Byron Tymvios
Please use [ CODE ] and [/ CODE ] tags when posting code! See THIS on how to use code tags.
-
October 20th, 2006, 08:54 AM
#3
Re: Distributing applets
 Originally Posted by Bnt
Well, the .class files will have to be downloaded over the net, in order for the clients pc to run the applet. So they might have access to the .class files. And any .class file can de-compiled, so anyone with some VM knowledge might be able to gain a good idea of what is happening in your code.
 I've really never heard of that. After your post I did a relevant search (decompile + java) in google and found some programs for this purpose. So, thanx alot for the information Bnt, I was sure there was no way to obtail the code from a binary java file.
Originally Posted by Bnt
Instead of giving access to people through a JSP or ASP page to your applet, why not have the applet do it's own access control, that way even if someone manages to run it on their pc, they still won't be able to gain full access to the applet.
I see. Any suggestions on how I could do this? Maybe let the applet communicate with a servlet for checking username and password?
In any case the anyone who has the class files (with some knowledge) will be able to get the code also. So there is no way I can avoid this?
Thanx again,
Theodore
-
October 20th, 2006, 09:00 AM
#4
Re: Distributing applets
Maybe let the applet communicate with a servlet for checking username and password?
That is exactly how I would do it.
In any case the anyone who has the class files (with some knowledge) will be able to get the code also. So there is no way I can avoid this?
You can't really avoid it, you can try obfuscate your code, which will make it more difficult to interpret, search google for "obfuscate", it should give you some techniques for acheiving this. Also try see if it is possible to encrypt your class files, I'm not sure if it is possible but worth a try.
Bnt, I was sure there was no way to obtail the code from a binary java file.
With the right tools you can reverse engineer code written and compiled in pretty much any programming language.
Byron Tymvios
Please use [ CODE ] and [/ CODE ] tags when posting code! See THIS on how to use code tags.
-
October 20th, 2006, 10:10 AM
#5
Re: Distributing applets
I was just thinking about your problem and came to this conclusion. I'm not sure how your applet works or what it does, but there is obviously some code there, that you don't wan't ppl to have access to. Why not design it in such away that most of the logic/private code is in servlets, and simply call the servlets from you applet (you might be limited to returning XML from your servlets).
Depending on your setup you might even be able to use EJB's and call them remotely from your applet. This way you could even return objects to your applet.
Both ways would hide the sensitive code (db access, algorithms, etc..) from the client pc.
This might help you protect sensitive code.
Byron Tymvios
Please use [ CODE ] and [/ CODE ] tags when posting code! See THIS on how to use code tags.
-
October 20th, 2006, 07:46 PM
#6
Re: Distributing applets
I agree with Bnt - if there's some code you want to stay hidden, put it in a servlet and have the applet call it. It's simple, flexible, and easy to implement. Done right, you end up with a useful library of reusable servlets.
To arrive at the simple is difficult...
R. Elisha
Please use [CODE]...your code here...[/CODE] tags when posting code. If you get an error, please post the full error message and stack trace, if present.
-
October 23rd, 2006, 11:12 AM
#7
Re: Distributing applets
Thanx alot guys....
Your suggestions seem very helpful. I'll give it a try....
Best Regards,
Theodore
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote
