I have a Java application that I am considering releasing over the web as an applet. I am concerned about java-savvy end users being able to somehow view the source code, given that my web server would be sending the code to their remote jvm when they try to use the applet.
What precautions can be taken to ensure that end users are never able to directly view source code of an applet?
I am hoping that release as an applet might somehow protect the privacy of the code more than releasing an application with downloadable jars that the user could just unzip. Is this true?
As a Jar is essentially just a zip file in disguise there's not really a way to keep people from viewing the source code. There are lots of decompilers available for Java classes. Most developers that are concerned about end-users decompiling the source code use an obfuscater to make the code more or less unreadable or at least difficult to understand.
Sorry there is not really a good answer to the question, it is just the nature of the Java language that you can always decompile the source code.
There are options like wrapping a Java application in an executable that will make it more difficult to access the Jar itself but obviously you can't do this for an applet.
Here's a (company) blog post on the topic of converting Java to an executable:
http://www.excelsior-usa.com/articles/java-to-exe.html
Pulled from an SO thread also on the topic:
How can I convert a JAR file to an EXE file?
You could use some of the available open-source code obfuscators (many people recommend using ProGuard, not only for obfuscating but also code minimization).
If somebody really wants your code, they'll get it. The best you can do is try to make it more difficult. As others have stated, a typical approach is to use a code obfuscator.
If you're using Maven to build your project you can use the proguard-maven-plugin from the maven central repository.
But since you're considering releasing it as an applet, if you can have any functionality running on server side code, you can go a lot farther towards securing your code base.
Related
I understand that StackOverflow is geared towards answering specific questions and avoiding subjective opinion. I feel that my question(s) have only one correct answer and therefore I’m posting here.
I’ve created a Java desktop app (JavaFX) which I plan to distribute for commercial use. I’ve read that Java code is easily reverse-engineered so it’s critical to obfuscate using something like ProGuard. I’d like to package my app so that users double click a .exe (which they download from my site) and then an installer is run like any standard software does. This appears to be outside the scope of ProGuard, but I’ve found JWrapper and Launch4J which both seem to provide similar functionality. Both claim to wrap jars into Windows native executables, show splash screens, include JRE, but I'm confused where they differ.
Specifically, I need the following:
Installation Wizard (namely to place the exe somewhere safe + make shortcut on desktop, and also add the EULA somewhere).
Add EULA (End-User License Agreement) which specifies user’s limitations
Web updates for the app (JWrapper seems to provide this using URL + build path)
Ability to protect the app (somewhat) using licensing (License3j seems promising).
Their features can be found here and here but only JWrapper mentions the ability to perform web updates and mentions desktop shortcuts (which I assume can also write a EULA.txt somewhere).
So, after I have finished writing code, in which order should ProGuard, JWrapper and Launch4j be applied? I’m guessing ProGuard first (to shrink, optimize and obfuscate) and then JWrapper and then Launch4j? Or only 2 of 3?
Feel free to also suggest additional methods, tools, or concepts which I may be missing. Thank you!
This question seems out of scope for Stackoverflow, but to answer it:
apply ProGuard first on your application, keeping the main method of your application
apply either launch4j or jwrapper (up to you to choose) on the jar processed by ProGuard
I have a question about how to manipulate files from the browser, currently we are using a java applet. To create some folders, replace/delete save some files/folders and execute a shell command with parameters. As we know Chrome no longer supports the npapi and therefor java applets, FireFox will soon follow and my guess is that IE will not stay behind forever.
So the actual question is what's the best way to go?
Should we think about creating plugins (but this then should be done for all major browsers - a lot of work)
Or do you recommend to install an external program, what we can launch on the users system? By for instance associating a specific extension, or by adding a url scheme?
What about this Java Web Start? Does this allow us to communicate with the domino api?
Any other technologies that would be better?
The website we are building is using IBM Domino 9.0.1 XPages (JSF).
Answering to your use case: content management system.
For adding files the HTML5 files API should do all you need. There are plenty of examples including multi file uploads.
It gets trickier when you want to provide a round-trip edit experience. Like you click something and Word, Excel, Impress, Photoshop opens and you edit. When you save it all goes back to Domino.
The solution here is wevDAV. You can even expose Domino views as folders in Explorer / Finder / Nautilus.
For Domino there is a project on OpenNTF that implements WebDAV for documents/attachments on Domino (I wrote it). It might be your best bet.
I think we should be making a distinction here:
things like file access can be done using HTML5 file access, but
things like local administration definitely aren't something that need or should be done from within the browser.
In fact, I always hated that Java suggested that users "need not install any software" to do this and that on their machine, which was a straight lie, considering they downloaded Java Software, had to tell their Java Policy framework to trust that and then that software was able to make local changes. That's just as unsecure as downloading any (signed) executable and making your user execute it.
Java's portability¹ doesn't apply to your use case, as it seems; "executing a shell command" sounds as non-portable as it gets. So, in the end, you either only have one platform you address, or one solution for every platform, in which case you gain no portability by the fact that the same Java executable can run on all JREs (given that's the case, even).
I'd say: It's a good time to let Java for Desktops die, especially since you don't seem to be doing anything that Java is good at² in your application.
As it sounds, the average installer framework can do what you want without you writing any code. There's plenty out there, especially for Windows, which you seem to be addressing; take microsoft's .MSI as an example. You'd end up with a two click, signable, trustable, updateable solution that wouldn't need the user to keep a JRE installed or secure at all.
CLARIFICATION: I really don't hate Java; I don't find it's the greatest language or has the best ecosystem, but whatever makes your application work is fine.
Now, you mention:
To be clear, we are creating a Document Managing System, which used to be on the Lotus Notes client and that we are trying to port to the Web.
That does in fact sound like it might be a good idea to chose any browser and embed that. In fact, Firefox is "merely" an application around a browser core, and you might just modify it (e.g. by writing an extension) to fit your needs. It's not really a "web application", that way, but it would meet your requirements of integration with a web application and local administrative access. I furthermore recommend thinking twice about the shell scripts you need to run locally -- maybe their job can be more easily replaced by another program or even something that is "web compatible" than calling them with local privileges from your web application.
¹ (which was a big thing back in the day, but honestly, Java applications nowadays are about as portable as your average .Net or Qt based application on desktop OSes, but never quite feel completely like home -- it's like portabilities ugly sister if you're portable, but only offer the minimal common subset of functionality and look and feel on each platform)
² ... whatever that might be!
I have read a bit about cloud and browser based IDE's.
I am planning to make a Java based bare bones IDE by integrating a compiler to code in the cloud. This is for educational purpose as I am just determined to learn to develop cloud based IDE.
I want it to be something like eclipse Orion but i want it to allow for coding in java. It should allow users to code, compile and run java programs by directly writing .java files and not by converting the .js files into java files.
Can someone please suggest me an existing cloud that I should use for this. And also, I am just a beginner and I have no clue about how to proceed and the articles that I am required to read.
Please do let me know what I should begin with and the cloud that suits my needs the best.
Thank you very much in advance.
You should look at projects like Mozilla SkyWriter, which implement the bare bones editing functionality
(There have been a lot of change lately. There seems to have been migrated to Ace)
You can use Codenvy and put your code on a Git repository. Then, you could build automatically once you have done the push using a CI tool like Jenkins. Now, I have an environment in which I use a Jenkins instance as a Service and also a runtime environment so I can get a continuous deployment pipeline. This video will show you, in a graphical way, what I am talking about.
Koding provides you with a full Ubuntu machine, with root, so it's able to run and do what you want, programming wise.
The reason i'm suggesting Koding though, is that they have a Framework to develop your IDE for the Koding VMs themselves.
The logic here, is that making IDEs is challenging, but the biggest challenges is ensuring security between your IDE users. Using another VM platform would mean that you don't have to manage the security of your VM, and focus entirely on your IDE.
Let me know what you think :)
For virtual/cloud hosting try one of the following:
Rackspace
VPS Farm
I like vpsfarm because it is cheap and pretty bare bones.
For the IDE itself, I would first create a webapp that can upload and compile and run arbitrary java code, without adding libraries or J2EE. That alone will be a good undertaking for one dev.
I want to create a web based java tutorials kind of project which involves jquery, css, jsp, springs etc .,
so I actually want to practice these technologies resulting a good product. The content of this tutorial can be edited by any user and rated by clients according to the chapter etc.,
I have few such ideas.
One primary idea being have a web based compiler and executor . Similar to w3schools. I know its difficult for a compiler of server side technology on a browser.
My questions are:
Are there any such open source java
compiler/executor services available
which can be used?
Is anyone interested to work on such
project (in case there isnt any)?
EDIT:
I am planning to use Compiler in java and Beanshell. Any better solutions ?
Google App Engine is the one, which one can you help to set up Free online Java Compiler, But for that you need to have an account to proceed.
Few other places you can defnitely Check
http://compilr.com/
If you have Applets,
http://www.innovation.ch/java/java_compile.html
EDIT : As Stephen Suggests, Download JRE and JDE and use it from oracle website
http://www.oracle.com/technetwork/java/javase/downloads/index.html
With http://www.browxy.com you can compile and run java console application and applets
You would need a script on your server that accepts the sourcecode, compiles it and runs it, however I'm pretty sure, you don't want to run arbitrary code.
If you still want to do it, take a look at Google's AppEngine, they do allow users to upload their (compiled) java programs and don't seem to have had any problems with it.
This question is interesting. In fact, Tomcat JSP server is an online compiler for Java Servlet. May help you a little in your case. (Not for traditional Java, though).
Imagine that you gave user an input form for Java codes ( preferably a WYSIWYG editor ), the codes will be written in a temp JSP file, and then your code compile and run the JSP.
But be careful , JSP is too powerful ( as it can touch file system, etc. ). Make sure your security measure is set.
I've used ideone.com before when discussing Java code with someone in a remote location. It is a web based IDE that handles Java as well as a lot of other languages, and is very useful.
If you are trying to do it yourself, you should be aware java6 and above have compilation built into the language in the javax.tools package.
You may want to check out Fixoncloud compiler. It's a web-based collaborative online compiler. Anyone can make changes to the code and you can also track history of your code. The compiler supports C, C++ and Java.
Depending on the permissions set to the code, the owner can also make his code completely private and permit only specific users to view/modify the code.
Here's the link to the compiler:
http://www.fixoncloud.com/Home/compiler/index.php?id=254
I watched today as someone painlessly exported a NetBeans java project to a JNLP file and HTML file that he could just copy to his web server. Making JNLP files by hand is slightly obnoxious, especially given the codebase parameter. I would love if I could do the same in Eclipse, but I can't seem to find such a function or a plugin which does this.
The only thing I've found is this article but I can't really parse it, it's a bit dense to me, for instance it mentions:
Ensure that the org.eclipse.equinox.launcher plug-in is in the feature or in one of the included feature;
But if that's even a grammatical sentence, I don't know how to ensure what it says.
Since I never did find an easy way to do it in Eclipse, I did one better, and made JNLPs easy to use on your server! I took the time to figure out the different little quirks that were confusing me, and decided that the necessity to manually specify an absolute codepath is obnoxious. So I wrote a PHP class which generates your JNLP file for you, so that you don't need to worry about the XML at all, and even better, you can use the exact same PHP file on a development server and a live server, or move it around, or whatever you'd like. It updates the codebase dynamically. Solved my problems.
I'm pretty sure that page you found is for developing Eclipse Plugins.
Why not just download NetBeans?