CODEWITHSUNDEEP
javasecurityweb-applicationswar
Mossaddeque Mahmood
Mossaddeque Mahmood

Reputation: 927

Insecure WAR in a server machine

I'm going to deploy my webapp (WAR) in a server machine. But, server machine is in client people hand, and they take database dump(so new data can be created), and WAR file can be copied from tomcat webapp directory. OS is Windows. If they able to copy my WAR and create a database, they can use it elsewhere. How can I protect this? JNI? Something else? If JNI, what's the smart way?

Upvotes: 1

Views: 132

Answers (2)

Stephen C
Stephen C

Reputation: 719239

Seriously, if you cannot trust the people who run the server on which your software is to run, then there is no viable technical solution that will prevent them stealing it and running it somewhere else.

All known technical "fixes" (e.g. obfuscation, encrypted classes, license managers, "call home", etc) only make it a bit harder for the bad guys. They all can can be defeated relatively easily. IMO, they are not worth the effort and the accompanying technical problems that they cause for you and/or your client.

Your best approach is the legal one:

  • Get your lawyers to help you draw up a contract with the client that expressly forbids them from reverse engineering your software, modifying it, running it in ways that you don't want, and so on.

  • Get the client to agree to the contract.

  • Monitor what they are doing (to the extent that you can), and if it looks like they are violating the contract ... SUE THEM.

Even this is not a guarantee, but it should cause your client to have second thoughts about stealing your stuff.

Upvotes: 2

cherouvim
cherouvim

Reputation: 31903

Possible solutions:

  1. Use a code obfuscation library. This will make the code look complex in case they try to decompile it (in case they need to change anything). This is usually software that you need to buy and sometimes it will complicate things when you try to look through an exception when debugging the live system.
  2. Include checks in your code that prevent the application of running in case some "hidden" environment variable (or whatever) is not found.
  3. Setup a contract with your client which will explicitly forbit him of stealing and using your app/code elsewhere.

Solution #3 is the most common.

Upvotes: 0

Related Questions