 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / Security / November 2004Prevent JAR file from modification
Hi we want to deploy a web archive (*.war file) or just jar files to our customers. We do all customer specific modifications to the included XML configuration files before deployment and want to prevent the customers from changing any configurable parameters. How can this be achieved? I was thuinking of using jarsigner, but don't see how i can force a webserver to load only jarfiles which were signed by my company. Thanks Thomas thomas.duehrsen@sicap.com (Thomas Duehrsen) said: >we want to deploy a web archive (*.war file) or just jar files to our >customers. We do all customer specific modifications to the included >XML configuration files before deployment and want to prevent the >customers from changing any configurable parameters. > >How can this be achieved? You book a meeting with your lawyer and design a contract that prohibits your customer from modifying the files. And hope that your local laws don't invalidate such contracts.  SignatureWolf a.k.a. Juha Laiho Espoo, Finland (GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++ "...cancel my subscription to the resurrection!" (Jim Morrison) > thomas.duehrsen@sicap.com (Thomas Duehrsen) said: >> we want to deploy a web archive (*.war file) or just jar files to our [quoted text clipped - 7 lines] > your customer from modifying the files. And hope that your local laws > don't invalidate such contracts. if you don't know , don't reply idiot. ************* pack your config up into a class file. calculate the mnd5 checksum on the classes,( store them in the them manifest file , then implement a security loader. you could go as far as encoding the routines with a private key then issue a public key in the classfiles for deployment. >>thomas.duehrsen@sicap.com (Thomas Duehrsen) said: >> [quoted text clipped - 19 lines] > you could go as far as encoding the routines with a private key then issue a > public key in the classfiles for deployment. md5 is good but put the md5 sum's somewhere the customer cant change it (like on a web server on the internet) You can use signatures in the manifest file and use an Security Manager. http://java.sun.com/j2se/1.4.2/docs/guide/jar/jar.html#Signed%20JAR%20File for example mailapi.jar uses this. bye, feri Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.