I was wondering about the possibility to send Java Code to a servlet that the servlet will take and execute it?
For example I would send a chunk of code as String, which will be added and executed. Can anybody think of a way of how I would approach this?
This is certainly possible - you could send the compiled bytecode Base64-encoded, then decode it at the servlet and use a classloader to load it.
Or you could send a jarfile similarly encoded, save it to disk and add it to a custom URLClassLoader.
You may have major security issues if the code is untrusted, though.
See What are the security risks I should guard against when running user-supplied Java code?
tools.jar from JDK contains classes to compile Java code (used by Ant etc.), you can also use Eclipse compiler, if you want. It is possible, but from security point of view (code injection etc.) it would be disaster ;)
Related
Update: Jun 10, 2022
I have successfully been able to create a demo application with AspectJ integration that could extract variables from the demo application. It was quite a hassle since there's a bit of trouble going on with Eclipse AJDT integration.
I was able to use CLI Java and ajc (AspectJ compiler) to achieve binary weaving into my demo application.
Original Question:
I am trying to retrieve real-time data from a running Java application and push it into an API I have on a server.|
I have no access to the source code of the running application; I only have the Jar file. I have tried decompilation into .java files; however, due to the scale of the app, I was not able to fix all of the missing access$000 function calls.
Is there a certain approach I should use when retrieving real-time data from an existing Java application? Has that been done before? Am I missing something that I am not aware of?
Any help is appreciated.
This is big challenge obviously. If you can glean enough understanding of how the program works from decompiling and reading log files to target some methods where you suspect there's data of interest to your API, then I would read up about Aspect Oriented Programming [AOP] and use those tools.
With AOP you can modify the classes in the jar file at runtime as its loaded by the JVM and access the classes.
For example: You can gather data from:
fields within the class that owns a method
parameters passed to a method
value returned from a method
Once you gather the data, you can also insert calls to your API.
Here's a place to start - https://www.baeldung.com/aspectj .
I have with me a working copy of Apache FOP's Java Servlet source code.
I have compiled the code - which handles a doGet request - and deployed it on Tomcat on my localhost, and it works and its good.
BUT I need to add functionality for a POST method to the file.
I can do that, but I'm not sure how to use the source code. All of my experience in Java has basically been behind an IDE.
The servlet is built by an Ant script, build.xml, that seems to contain references to variable names. Do I need to add to this file at all? Can i just change stuff in my servlet.java, and go straight to building?
Yes, you can do that. If you have the source code and can build the project, then you can start a simple text editor, change the servlet Java file and then build the whole thing again.
But it will be time consuming. It can take a while until compilation problem are reported leading to high turnaround times. And you are unable to debug your code if something went wrong.
For some very small changes this approach might be suitable. But for larger changes it would be better to invest the time to configure your IDE for web application debugging.
I did a quick search and could not find anything on this topic. I am not even sure if this is possible, but I am curious.
Is it possible to compile a Java program on a server right before a user downloads the program. The application that I can think of for this would be to modify a program's source code on the fly before a user downloads it. This could be helpful in a setup where the program is modified based on user input or settings on a website and those changes are hard baked into the program so what they download is a stand alone program that is customized and fully portable. The other application I thought of would be if each user were to use a different feature combination in a program so it is compiled only with the feature set they need/want on the fly.
I have a few programs ideas that I could test this out with, but this is mostly an academic thought and curiosity of mine.
So long story short, does anyone know of any technologies that could make a system like this work?
Sure, it's possible.
Just let the download link point to some script, that compiles / packages the source and sends back the result. This can be implemented in, for instance PHP, in just a few lines of code. It's quite similar to captchas: On-the-fly generated unique data, retrieved through a URL.
I myself have thought about this idea for protocol obfuscation purposes and for "software registration key algorithm" generation.
I would however recommend you to factor out the parts which you want to be recompiled into a separate class / set of classes, compile only these, and package it with the rest of the (already compiled) program upon request.
I have written a library using the Compile API (comes with Java 6) to compile code in ememory but I would suggest you don't need to pre-generate code as anything you can do with generated code you can do with dynamic code. There can be a slight performance advantage, but I suggest you try doing what you need with dynamic code (i.e. code with loops, if statements and reflection) to do what your generated code would do first as this is alot simpler and likely to do what you want.
Even if you must have generated code, it is useful to write the code in a non-generated form first so you are clear as to what you need the code to do.
My project allows users to create custom css for our flex app.
In regards to compiling the CSS into SWFs on the server side:
Should I use the flex2.compiler.css.Compiler class in mxmlc-3.5.0.12683.jar?
Or
Should I invoke mxmlc from Runtime.getRuntime().exec()?
The css.Compiler class is not very well documented. Does anyone have any examples that use this?
For the Runtime exec method, what is the best way to package mxmlc into the maven build so its available to the server at runtime?
I think it is so rare that people try to compile Flex Apps on the fly at the server, that there probably isn't a best practice. My intuition is that using the jar file makes more sense if your server side code is Java.
But, if documentation is a problem the Flex command line compiler arguments are well documented and may save you a lot of time.
What techniques could I use to make my "jar" file Reverse Engineer proof?
You can't make it reverse engineer proof. If the java runtime can read the instructions, so can the user.
There are obfuscators which make the disassembled code less readable/understandable to make reverse engineering it harder, but you can't make it impossible.
Don't release it.
There is no such thing as hacker proof. Sorry.
EDIT FOR COMMENT:
The unfortunate truth is that no matter what barricade you put in the way, if the honestly want in, they'll get in. Simply because if they're persistent enough they'll be looking at your code from an Assembly level. Not a thing on earth you can do about it.
What you can look at doing is Obfuscating code, packing the jar and merging all externals packages into a single to make life harder. However no matter how high the hurdle, my comment in the previous paragraph still applies.
I think this is more about hardening the access path to the jar, more than anything else.
Try to determine what user context
will actually be executing the code
that will access the .jar. Lock
down access to the jar to read-only
access from only that user. How you do this
will depend on if you're using the jar from
a web app or a desktop .exe, and it will also
depend on the operating system you're running
under.
If possible -- sign the jar and
validate the signature from the
executable code. This will at least
tell you if the .jar has been
tampered with. You can then have
some logic to stop the executing application
from using the .jar (and log and display an error).
See jarsigner docs for more information.
I have seen one case where a company wrote a custom classloader, that could decrypt an encrypted jar file. The classloader itself used compiled JNI code, so that the decryption key and algorithm were fairly deeply obfuscated in the binary libary.
You are looking for an "obfuscator" (if you want to ship jars) . Many exist:
http://java-source.net/open-source/obfuscators
You should be aware that many obfuscation techniques removes information you may want to keep for troubleshooting purposes - think of the value of a stack trace from an irreproducible situation - or actual debugging sessions. Regardless of what you do, your quality testing should be done on the jars-to-be-shipped since the obfuscator may introduce subtle bugs.
If you really want to hide things, consider compiling to an native binary with gcj.
Definitely avoid placing any sensitive data in the code. For example:
passwords
database connection strings
One option would be to encrypt these (using industry-standard encryption routines; avoid rolling your own) and place them in an external configuration file or database.
As others have stated, any algorithms in deployed code can be reverse-engineered.
Sensitive algorithms could be placed in a web service or other server-side code if desired.