Distributing applets

Printable View

October 20th, 2006, 04:35 AM
yiannakop

Distributing applets

Hi everyone. I was wondering how secure is to distribute applets through internet. What I mean is: suppose I upload an applet in a site. The users will have limited access to the applet (maybe through an asp or jsp page that checks password). After a specific period of time the user's account will be disabled. My question is: the applets will be run on the users pc. Is there any way the user will have kept the applets on his pc and then run them offline? Can I avoid sth like that. Also, another question: is it possible for someone to obtain the java code from an applet (a .class file)?
Best Regards,
Theodore
October 20th, 2006, 07:57 AM
Bnt

Re: Distributing applets

Hi Theodore,

Well, the .class files will have to be downloaded over the net, in order for the clients pc to run the applet. So they might have access to the .class files. And any .class file can de-compiled, so anyone with some VM knowledge might be able to gain a good idea of what is happening in your code.

Instead of giving access to people through a JSP or ASP page to your applet, why not have the applet do it's own access control, that way even if someone manages to run it on their pc, they still won't be able to gain full access to the applet.
October 20th, 2006, 08:54 AM
yiannakop

Re: Distributing applets

Quote:

Originally Posted by Bnt

Well, the .class files will have to be downloaded over the net, in order for the clients pc to run the applet. So they might have access to the .class files. And any .class file can de-compiled, so anyone with some VM knowledge might be able to gain a good idea of what is happening in your code.

:eek: I've really never heard of that. After your post I did a relevant search (decompile + java) in google and found some programs for this purpose. So, thanx alot for the information Bnt, I was sure there was no way to obtail the code from a binary java file.

Quote:

Originally Posted by Bnt

Instead of giving access to people through a JSP or ASP page to your applet, why not have the applet do it's own access control, that way even if someone manages to run it on their pc, they still won't be able to gain full access to the applet.

I see. Any suggestions on how I could do this? Maybe let the applet communicate with a servlet for checking username and password?

In any case the anyone who has the class files (with some knowledge) will be able to get the code also. So there is no way I can avoid this?
Thanx again,
Theodore
October 20th, 2006, 09:00 AM
Bnt

Re: Distributing applets

Quote:

Maybe let the applet communicate with a servlet for checking username and password?

That is exactly how I would do it.

Quote:

In any case the anyone who has the class files (with some knowledge) will be able to get the code also. So there is no way I can avoid this?

You can't really avoid it, you can try obfuscate your code, which will make it more difficult to interpret, search google for "obfuscate", it should give you some techniques for acheiving this. Also try see if it is possible to encrypt your class files, I'm not sure if it is possible but worth a try.

Quote:

Bnt, I was sure there was no way to obtail the code from a binary java file.

With the right tools you can reverse engineer code written and compiled in pretty much any programming language.
October 20th, 2006, 10:10 AM
Bnt

Re: Distributing applets

I was just thinking about your problem and came to this conclusion. I'm not sure how your applet works or what it does, but there is obviously some code there, that you don't wan't ppl to have access to. Why not design it in such away that most of the logic/private code is in servlets, and simply call the servlets from you applet (you might be limited to returning XML from your servlets).

Depending on your setup you might even be able to use EJB's and call them remotely from your applet. This way you could even return objects to your applet.

Both ways would hide the sensitive code (db access, algorithms, etc..) from the client pc.

This might help you protect sensitive code.
October 20th, 2006, 07:46 PM
dlorde

Re: Distributing applets

I agree with Bnt - if there's some code you want to stay hidden, put it in a servlet and have the applet call it. It's simple, flexible, and easy to implement. Done right, you end up with a useful library of reusable servlets.

To arrive at the simple is difficult...
R. Elisha
October 23rd, 2006, 11:12 AM
yiannakop

Re: Distributing applets

Thanx alot guys....
Your suggestions seem very helpful. I'll give it a try....
Best Regards,
Theodore