boonleng
asked on
Applet security issue.
Im involved in a banking project and my boss wants it to be in Rich Internet Client format using applet.
Cool but the problem for using applet is that user able to download the applet class file and its related class/jar files, then decompile it to view the source code.
Althought the source code only involve UI with no business logic, by end of the day I dont think the project will be able to pass through the bank security checklist if user can donwload and decompile the files.
Is there any ways to protect the class file beside obfuscate?
If no then I would have to switch to use jsp via servlet.
Any suggestion would be appreciated!
Thanks.
Regards,
Boon Leng
Cool but the problem for using applet is that user able to download the applet class file and its related class/jar files, then decompile it to view the source code.
Althought the source code only involve UI with no business logic, by end of the day I dont think the project will be able to pass through the bank security checklist if user can donwload and decompile the files.
Is there any ways to protect the class file beside obfuscate?
If no then I would have to switch to use jsp via servlet.
Any suggestion would be appreciated!
Thanks.
Regards,
Boon Leng
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Use a thin applet. Perform everything on the server side and communicate over https or ssl.
Also, sign the applet, and on the server side - perform authentication of the client applet signature.
If you do not chose to use ssl, make sure to never send any meaningfull cleartext information (e.g. user/passowrd...).
Also, sign the applet, and on the server side - perform authentication of the client applet signature.
If you do not chose to use ssl, make sure to never send any meaningfull cleartext information (e.g. user/passowrd...).
ASKER
Thanks a lots.
Thanks for accepting
ASKER
This is a banking project and the bank will pass the application to a bunch of people to evaluate and hack the system. Last time they even mark the author name existed in the javascript as one of the security hole (they said people might base on the author to find out info about the system). Coz they dont evaluate every single line of the code, even there's no logic put on the applet, they probably will treat it as security issue if they able to decompile it :(
Currently Im designing the system to use Spring + Hibernate at the back and Applet as a thin client at the front. Struts will also use for some of the modules. Acegi and SSL will be included for security.
If I choose the applet approch, any thing I need to take note or suggestion to increase the security?
Thanks a lot.