Securing WAR (Jar) Files In Web Application
Posted on 2005-05-03
I've been looking for a way to lock down a web application that I have to distribute to various clients in the form of a WAR fire (jar file with a different extension).
This application makes use of xml files for settings, (It's Struts based, so the struts-config.xml, and validation.xml..etc), however my employer is inhibiting the distribution of the software because a potential client can extract the xml files and make a change to render our validation (as well as other things) worthless.
He therefore wants me to find a way to secure the WAR file so that it will not function if it has been tampered with.
My research has brought me to what people call 'Signed Jar Files' and 'SecurityManagers' however how the concepts work practically are not described anywhere, and I am therefore asking if someone can show me how I may make use of these signed jar files, and a security manager in my web application.
I'd like, if possible, to do this all within the contained war file, without any 'policy' files if that is possible, or at the very least, with as few additional files / changes outside of the war file as possible.