• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 196
  • Last Modified:

Protecting JSP Code from being public

Hi,

I have a sensitive web application that is hosted on Tomcat and uses many Java Beans.

How can I best protect the code from being made visible.  At times when there is a dramatic error, there is a dump into the Browser.  All in all, how much can I protect my code and how care should I put into ensuring that data like passwords are not easy to read from the code.

Cheers
Angus
0
amacfarl
Asked:
amacfarl
  • 3
  • 2
  • 2
2 Solutions
 
maXXXeECommented:
Ok, I guess u know this. The JSP code is never visible for the client. only the html is output to the browser.

>> At times when there is a dramatic error, there is a dump into the Browser.
To prevent code from being shown, u can add a page directive for a custom error page.
<%@page errorpage="error.jsp" %>
If u add the above line, when an error occurs in ur jsp page the users will be redirected to an error page(error.jsp in above example)

and now about the password.
try not to keep it hardcoded in jsp or beans.
whereever u store the password, try to keep it encrypted.
0
 
amacfarlAuthor Commented:
maXXXeE thanks for your prompt response and the code snip.  It will be very useful.

Re your comment about passwords.  I am struggling to find a save way to manage these.  The reason being that if I encrypt my password I will need to use an encryption algorithm, however the encryption algorithm that we are using is based on a Passkey which is 62 characters long.  This passkey needs to be stored somewhere and so the story goes on....I am left with the same issue as the hardcoding the password as the with the encryption key you can decrypt the passwords.

Now, if dont hardcode it, then where is the best place to store it.  I looked into storing on a file on the server, but processing the file becomes time consuming and a bottleneck for the process.

Any suggestions?  I am sure that this is not a problem that others have not faced, but I am looking to protect my customers data.

Are there any algorithms which allow one encryption key and another decryption key (ie different keys).

Cheers
Angus
0
 
COBOLdinosaurCommented:
For password just use md5.  When Tomcat does the authentication include checking the password against an md5 hash value. Thre is no issue of decrypting because it is a one way encrypt.

Cd&
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
maXXXeECommented:
if not hardcoding,
its best to store in a database.
else u have to use a file.
0
 
amacfarlAuthor Commented:
COBOLdinosaur & maXXXeE

Thanks for helping out.  You have answered my question.  I am closing this question as I believe the issue about passwords merits a new question as it is a seperate topic.

I have split the points  between you.
Regards
Angus

0
 
COBOLdinosaurCommented:
Glad we could help.  Thanks for the A. :^)

Cd&
0
 
maXXXeECommented:
thanx  angus, for the points
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now