It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 11 years ago.
I would like to give an executable jar file to my client and I have a code in it to expire after a certain time. But if the client uses some decompiler and reads the class file, he can modify and make the code to work Is there any way I can stop this from happening.
Can I use deleteOnExit() or some other technique ???
If you are so worried someone will crack your software, you'll need to use some kind of client/server architecture where your client can only log in to a webpage in your servers.
Any code can be cracked if there's someone who really wants too. Of course, most of the time its simply not worth it.
Best solution for this is PaaS (platform as a service)..
put your logic on a server as server-app and let client-app communicating with server-app through web-service or any other way .. this is the best real solution..
BTW: using obfuscation cannot protect your code.
Sorry, not possible in any kind of environment currently in use. If you are so worried about the client stealing your code, it might be good to reevaluate your relationship with him.
On the other hand, you could provide him with a gated VNC view of your software, whereby he can use it but where you remain in control of the environment.
In the past, I've used Zelix KlassMaster to perform obfuscation. It does a very good job, however, you have to spend time to configure it such that it works properly for your needs. If you use reflection, then you have to ensure that it doesn't obfuscate those class/method/property names, etc. One of its strong suits is that it will obfuscate strings as well.
All that being said, the end result is that your client will still have your code, alebit in a very difficult-to-understand format. However, if he truly has the time and effort, he can reverse engineer it.
A lot also depends on exactly what it is that you are trying to protect. If you are trying to protect the actual IP then obfuscation will help you out. If you are trying to protect licensing, then obfuscation just makes it a little more challenging for someone to figure out where your licencing module(s) are and how to circumvent them. In the latter case, I would then suggest that you use something like AspectJ to weave in licensing checks in several different classes just to make it more difficult to break. However that too is not fail-proof.
As others have already said, the only fool-proof system is to not give the client the code in the first place and change to a SAAS (Service as a software) solution.
What about using a modified classloader that is able to load your classes from an encrypted storage. As you do not directly expose the jar and the classes inside it might help but as all others said above - it won't be bulletproof.
Related
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I need some tips on creating a Java application. A few words about the application: people in the company will log in with a pwd; customised access types; possibility to perform changes in a remote database from a host within the network.
This is probably a very simple program. At first I don't care for security matters, that can be optimised in time. I just don't know how to start.
So far I've played with some algorithms (I like algorithms), connected an applet to a database and done a few select/updates, a couple of swings.
Even something that sounds like detailed chapter titles that I can investigate can prove useful, as I'm not sure what to look for when I want to create an application that can be distributed in a network.
Based on the previous:
What do I need to create? An applet, a swing, etc? Should it be an .exe and how is that done roughly?
Thanks for any tips.
I hear the application should come with an installation kit? What will that install - probably the JRE after checking whether it's installed on the client PC? What else?
Other tips that I should know for starters?
I'm not worried about algorithms or class names in the context of a user action (a select/update,etc)- I can find those in libraries. I'm interested in how to actually create a basic application that can be sent to users all over the company (methodology/practices/trainings), that they can run and see on their screen the result of a simple select, let's say. Any pointers/good references - as there are a lot of sites out there and not all are good. Thank you!
For Desktop Applications with a GUI and Database interaction etc. you should consider the use of a Rich Client Framework like Netbeans Platform or Eclipse RPC. This will certainly make a few things way easier, for example deploying the application, creating installers or multiple windows with docking capabilities.
By the way
At first I don't care for security matters
is generally a very, very bad idea...
Are you trying to launch the application from a web link? Then what you're looking for is "JNLP" or "Java Web Start".
https://en.wikipedia.org/wiki/Java_Web_Start
There are ways to set up user perms as part of the launch, and it will provision and deploy code and updates if necessary.
Good luck!
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
maybe this is not a technical question but I bet here are many experienced developers that can help me answering that
thanks
A DAO layer is essentially an abstraction like Sajit says. However I disagree with his interpretation. The point of abstracting something to achieve a goal - usually the simplification of some more complex use case.
You could easily create a DAO layer that also provides more functionality than simply doing application entity - data entity mapping. It could provide caching, optimisation, translation, resiliency etc. So There is no reason why it could not offer the ability to better scale your application.
Ultimately is depends on terms - what does scaling mean to your application? More/faster ??? etc.
Dao is typically used to abstract away the implementation details of the database in an application and has nothing to do with scalability.
The DAO (Data Access Object) is used to provide a layer of abstraction over the database. It tends to have methods which in turn eventually open connections and execute queries and/or stored procedure.
I think that when it comes to the scalability issue, you need to watch out for 1 major thing in a DAO: Connection management. If you are using some third party library, maybe something along the lines of Hibernate you will most likely have to worry less about connections since these are managed by the library itself.
On the other hand, if you implement everything yourself you will need to make sure that you open the connection at the last moment possible and release it at the first possible moment. Having a DAO which hogs connections will eventually limit how will your application scale.
Lastly, in some cases, the DAO passes direct queries to the database. You will need to keep an eye on how you build these queries to make sure that they do not involve any unneeded processing.
In really simple words, You really can't make a scalable application if everything is tied up. DAO is just another layer which helps you deals with the Data Access Logic. This way you know where you can find your dynamic sql and stuff and can enhance and maintain it.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I'm currently developing a programming contest website, and want to implement support for submitting code and running it on the website. After quite a bit of googling, I still haven't found any "guides" for this.
Does anyone know of a website(or other sources) that contains some basic guidelines or ground rules for this?
Appreciate all replies.
PS: If anyone wonders about all the programming language tags, I'm planning on supporting at least these languages.
Careful -- if you're finding it difficult to break this project down into some smaller, more tactical problems, I'd strongly suggest that you make no attempt whatsoever to actually run anyone else's code on your site. In terms of creating the site itself, I'd suggest leveraging pre-built components or services where possible -- Wordpress, GitHub, etc.
Once you've got the submissions, you'll want to have a way to run them safely. For all practical purposes, this means that you should assume that any machine you run someone else's code on might spontaneously burst into flames. While it's true that some of these languages have features you should be able to use to run code in a "sandbox", you're probably not going to be expert enough in all these languages to be able to properly secure all of them.
It seems that something like Amazon's EC2 might be helpful -- spin up a VM when you need to run a submission, and throw it away when you're done. They've got some pre-configured images that would probably be well-suited to running this code, and if something gets buggered up because of buggy or malicious code, you don't mind too much because you're just going to throw it away when you're done.
There is a site that already does this, albeit for a particular purpose: scraping data.
https://scraperwiki.com/ - Unlike jsfiddle, scraperwiki executes server-side code. As far as I can gather, they likely sandbox the environment via amazon instances. Not sure that their code can be entirely audited and sanitized, given the variety of languages and scraping libraries they support.
I think most people are baffled as to how scraperwiki keeps hackers and spammers at bay from misusing their resources. They've been rather mum about it; either they've manually audited every bit of executed code, or hackers/spammers haven't caught onto them yet. Since the site has a specific function, they probably check data utilization to determine suspicious activity. ...but, one man's site scraping is another man's harassment and injection by get/post.
My hunch is that they'll never publicly spell out what their security audit process is like.
If you really had to do it, simplest mechanical way of doing this without virtualization is to use a variant of eval(). But, not all languages have that. Which brings you to option B, which is virtualization. Better people than I can explain how to regiment virtual machines to this effect, and will caution you properly on letting strangers abuse your resources. Instead, I'll share my PHP experience.
Some years back I've made a project that does code execution on the fly (on a local machine.) As you type, it takes the code via ajax and executes after each keystroke. Here's a video of its behavior: http://www.youtube.com/watch?v=Yfxrt2pc3pg.
Half a decade and 3 improvement prototypes later, I'm still not sure how I would responsibly lock this down as a common resource.
For Java it is quite simply:
You're have to create Servlet, for uploading source code into server (for
example, via POST request)
Use Java Compiler API to compile source code to bytecode ( tutorial )
Compiled bytecode you're might dynamically load via ClassLoader and launch it (also you're might configure SecurityManager)
And don't forget about MVC architecture :)
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 12 years ago.
Hypothetically, could java be used to write a website instead of, say, asp.net. or php?
J2EE is an entire branch of Java made towards running Java as a web server. It includes making it easy to code for distributed servers, a messaging protocol and database interaction. It's extremely powerful, well written and stable and you'll find it's used by many large web sites.
It's also very different from just coding a simple single-purpose server. Some of the complication is up-front/built in, so there is a larger initial learning curve but you won't encounter many of the problems you would if you tried to do it on your own...
For instance, imagine the most complex server-side code you've written--what would it take to make it run distributed across 2 servers (So that either server may answer any request with the requests based on server load)? If it were written in proper J2EE it would just be editing a few config files.
Some would argue that this is what Java is mostly used for! Sarcasm aside check out the Wikipedia entry for Java Enterprise Edition for the summary and of course the official Oracle Java EE website for details.
Basically there is a whole host of mature server APIs and application servers from different vendors (including Open Source vendors) that implement those APIs. Server side Java is really a mini-industry with god knows how many companies, open source projects, conferences and the like.
If you are new to server side Java you coming in at a good time, you missed the dark days EJB 1.0 and 1.1 and now there is a rather useful, if a little heavyweight set of APIs on which to build your server side applications.
Yes, it is actually quite common.
I think so. It's the basis for JSP and Java Servlets.
Yes.You can use Tomcat web container or glass fish, JBoss,...
There is few frameworks, like Tapestry, JSF,...
If you encountered a .jsp extension for a page, it was definitely Java (.jsp = Java Server Pages). Of course you can generate plain HTML (or whatever you want) as well.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 12 years ago.
Firstly, in my opinion, this question is relative to programming, as much as the answers (and the question itself) is subjective, I would like to see some of these subjective opinions, and other ideas that come from it.
My company is deep in bed with oracle. They are making a strong move towards java, and well forcing JDeveloper down on us (me) as the 'best tool' for the job. Now, dont get me wrong, JDeveloper looks amazing, it has all these nice trinkets that would make anyone smile when unwrapping. But...
I tend to always end up having to investigate some tiny problem that the IDE suffers to do right. Essentially bugs. Like at times when for no reason EJB's do not deploy anymore. Or the ADF front end stop calling data controls for action buttons. Then I have the times that It crashes out completely when editing persistance information. In the end, I spend more time figuring out what is wrong with it, to no avail. And well, my company is not about the take out money to get support for the development tool. I end up sitting with problems that take hours up to days to resolve, which should be taking 10 minutes.
I have seen and experienced similar productivity killing problems in IBM's websphere products too. And not It's not just me, I have seen teams unable to work for days because of issues.
My solution to this has always been to use the eclipse j2ee set. It allows me to be more in control of everything that's being used. And so, even if eclipse gives me problems, I can resolve these issues. And well, personally, I would prefer my company accepting that as a preferred tool, as solving problems would be easier, and there would be more 'professionals' arround, as our problems would more likely be j2ee related, and server related rather than IDE related (We get tons of server side support). I feel the 'abstraction' that larger IDE's provide can cause lots of headache's and tend to be a project killer.
Why do I struggle so much with JDeveloper. Am I alone?
Is it wrong of me to take a stand and recommend going against JDeveloper as the core development tool in our company?
Because well, this is the 'campaign' I would like to walk into now, up to the point of demonstrating the flaws, as the video's only show the perfect moments.
You are not alone! I could rail against JDeveloper but i'll restrain myself.
Unfortunately, JDeveloper is the only IDE that supports all the Oracle-centric technology. So, while i'm sorry for your pain, and, trust me when i say, i understand more than you know, but, in an Oracle house, no other IDE will do. It's a real shame that you don't have support though. You'll likely need to file lots of bugs.
It's really unfortunate that Oracle seems insistent on continuing with JDeveloper even now that they own NetBeans. JDeveloper is far behind Eclipse and NetBeans. They'd have far greater developer acceptance of their technology if they actively supported Eclipse and/or NetBeans, at the very least, in parallel with JDeveloper. There's actually quite a nice, extensive set of technology in ADF that is being hidden behind and hampered by such a horrendous development tool.
And as a means to try and help you solve all the problems you'll encounter with JDeveloper, try this. Use two local mercurial or git repositories. One for your JDev system folder (init in the parent of system/) and a repo for your application/project. Before finishing (or starting) any wizard, add and commit (hg com -Am 'savepoint' or git commit -am 'savepoint') both repos. This'll give you a way to rollback and also diffs of how JDeveloper broke a working project which might give you clues about how to fix things.
Also, you might want to keep a log for your managers to show how much time you spend managing JDeveloper instead of progressing on your projects.
Good luck.
Note: Version control on the jdev system folder is a little questionable for rollbacks since it seems jdev buffers some writes and keeps some files open. Which means you might take a snapshot of an inconsistent or incomplete state. It's better to use that repo as an ongoing view of what is changing.
EDIT: Also see Oracle Enterprise Pack for Eclipse