[Last Call] Learn how to a build a cloud-first strategyRegister Now


Securing WAR (Jar) Files In Web Application

Posted on 2005-05-03
Medium Priority
Last Modified: 2013-11-23
I've been looking for a way to lock down a web application that I have to distribute to various clients in the form of a WAR fire (jar file with a different extension).

This application makes use of xml files for settings, (It's Struts based, so the struts-config.xml, and validation.xml..etc), however my employer is inhibiting the distribution of the software because a potential client can extract the xml files and make a change to render our validation (as well as other things) worthless.

He therefore wants me to find a way to secure the WAR file so that it will not function if it has been tampered with.

My research has brought me to what people call 'Signed Jar Files' and 'SecurityManagers' however how the concepts work practically are not described anywhere, and I am therefore asking if someone can show me how I may make use of these signed jar files, and a security manager in my web application.

I'd like, if possible, to do this all within the contained war file, without any 'policy' files if that is possible, or at the very least, with as few additional files / changes outside of the war file as possible.

Question by:Krule
  • 3
  • 2
  • 2
LVL 92

Expert Comment

ID: 13923496
Can you protect it from the OS level using file permissions?
LVL 15

Accepted Solution

aozarov earned 1125 total points
ID: 13923542
A simple aproach (and not bullet proof)
Write a utility that creates a message digest from your jar. (see http://javaalmanac.com/egs/java.security/Digest.html )
Provide that message digest together with you war and on deployment create the digest again and compare it to that file.
It is not that strong as the client can generate the MD itself and replace it (though it is not as simple as modyfing your jar).

You can use the information from this link: http://java.sun.com/docs/books/tutorial/jar/sign/signing.html
to create a singed jar
and then on deployment you can run the verfication process: http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/jarsigner.html (JAR File Verification)
This process will require you to provide your clients with your public key.


Author Comment

ID: 13925315
OS level file protection is out of the question. This will be distributed to various people on multiple OS

What i'm looking for is a way to, via the code, Test a jar file to make sure it has not been tampered with

Here's what I'm thinking right. I could calculate the Md5 hash on the .xml files, then in the code (somehow) test to see if I get the same hash before I begin my web app (in a servlet that is called once or something...nothing heavy here)
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 92

Expert Comment

ID: 13925348
really depends on the level of skill and amount of effort they want to put into cracking it. All security is crackable, its just a matter of deciding on a level of security that is acceptable.

Author Comment

ID: 13926194
For the spec that I was given we assume they will not be editing the .class files since they are compiled and obfuscated (Even though it is possible to reverse engineer a class file, we assume they will not)

The security only needs to ensure that the xml files have not been altered. So I believe (correct me if I'm wrong) that if we were to get an MD5 hash on the xml files (each individually) and then test if the hash is the same in a Servlet (At runtime) using something like this


if( md5.encrypt("validation.xml").equals(VALIDATION_XML_MD5) )


My question is: Is this plausible? And is it too easy to crack?
LVL 15

Expert Comment

ID: 13928807
>> I could calculate the Md5 hash on the .xml files, then in the code (somehow)
Did you see my above link -> http://javaalmanac.com/egs/java.security/Digest.html (shows how create MD5 on some byte[] content).

>> Is this plausible? And is it too easy to crack?
It is far more complex then just tampering with the xml file.
It will require applying the md5 on that file using the password stored in your Class file {need to decompile this file} then change your class file with the new signature {need to recompile it again}. So for this kind of need I personally think it should be sufficient (though it is definitely not bullet proof).
Adding to the contract with your clients a non-reverse engineering clause would help as well 
LVL 92

Expert Comment

ID: 13931196
> My question is: Is this plausible? And is it too easy to crack?

If you're assuming they cannot alter class files then you should be safe

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will learn different types of Android Layout and some basics of an Android App.
Basic understanding on "OO- Object Orientation" is needed for designing a logical solution to solve a problem. Basic OOAD is a prerequisite for a coder to ensure that they follow the basic design of OO. This would help developers to understand the b…
Viewers learn how to read error messages and identify possible mistakes that could cause hours of frustration. Coding is as much about debugging your code as it is about writing it. Define Error Message: Line Numbers: Type of Error: Break Down…
Viewers will learn about arithmetic and Boolean expressions in Java and the logical operators used to create Boolean expressions. We will cover the symbols used for arithmetic expressions and define each logical operator and how to use them in Boole…
Suggested Courses
Course of the Month18 days, 6 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question