Protecting Java Applications That Work With Reflection
Sentinel LDK Envelope makes use of reflection. Therefore, there is a limitation on protecting Java applications that use reflection APIs, such as applications using the Spring Framework. However, the following solution has been tested for use with applications that use reflection:
Use the dfcrypt utility with the Version 2 data protection mode to protect Java class files. The encrypted class files can be decrypted at runtime by a DLL or shared object (Linux) that has been protected with Envelope and contains the Data Protection module.
Proceed as described below to protect and distribute applications that use reflection.
Required Files
Files for the Sentinel Java Data File Protection runtime library (referred to below as the Java DFP runtime library) can be found on the machine where Sentinel Vendor Suite is installed, under the following directory:
../Linux/Samples/Envelope/Java
The following directories are included:
| servlet |
Contains the rtservlet source file. |
| runtime |
Contains the Java DFP runtime library (DLL or shared libraries). This will be protected with Sentinel LDK Envelope and Sentinel LDK Data Protection utility using the Version 2 protection mode. |
| agent |
Contains the Java DFP agent (sntljavadfpagent.jar) |
Protect the Java DFP Runtime Library
NOTE You only need to perform this procedure once. The protected Java DFP runtime library can be used for all applications that are protected using the same Batch Code.
Use Envelope for Linux to protect the Java DFP runtime library.
The 32-bit and 64-bit versions of the Java DFP runtime libraries are located in:
Linux/Samples/Envelope/Java/runtime
In the Envelope command line, be sure to include the parameter: --dfp
Protect the Class Files for Your Application
Before You Begin
1.Select the Feature ID that you will use below to protect class files. Make sure that you include this Feature ID in the protection key that you provide to your customers.
2.Extract the web application archive.
For example: jar -xvf SampleWar.war
SampleWar represents the application to be protected.
Use dfcrypt to Protect the Class Files
You must protect the class files for your application before each build.
dfcrypt is a command-line utility that you can use to protect the class files for your application. Set up the dfcrypt commands in a batch procedure that will be run as required before each build.
For example:
dfcrypt -v:2 -c:demoma.hvc -f:25 classes classes_protected
This command encrypts all the files in a directory called classes using the specified Vendor Codes file. Feature ID 25 is used to license each file. The encrypted files are written to the classes_protected directory.
For more information, see the description of dfcrypt in the
Prepare the Protected Application for Distribution
You prepare the protected application for distribution using one of the following modes due to different entry point servlet configurations:
>Java Agent Mode
Use this mode when your application’s web.xml contains servlet elements and the servlet-class was encrypted.
>Servlet Mode
Use this mode for better and easier deployment.
Each mode is described below.
Java Agent Mode
1.Locate and replace all unencrypted classes in the SampleWar directory with the encrypted classes. All class names and locations should remain unchanged.
2.Copy the java agent file (sntljavadfpagent.jar) to the application server’s bin directory, for example: tomcat/bin.
3.Create and modify setenv.sh in the application server’s bin directory (for example: tomcat/bin) with the following content:
CATALINA_OPTS="-javaagent:sntljavadfpagent.jar=appCode=10000"
4.Create and modify setenv.bat in the application server’s bin directory (for example: tomcat\bin) with the following content:
set CATALINA_OPTS="-javaagent:sntljavadfpagent.jar=appCode=10000"
5.Pack the WAR file, switch to the SampleWar project directory, and enter the command:
jar cvf SampleWar.war
Servet Mode
1.Locate and replace all unencrypted classes in the SampleWar directory with the encrypted classes. All class names and locations should remain unchanged.
2.Copy the entire directory from
Linux/Samples/Envelope/Java/servlet/com
to
SampleWar/WEB-INF/classes/
For example, a target location is: SampleWar/WEB-INF/classes/com/thalesgroup/javadfprt/rtservlet.class
3.Add the Sentinel servlet entry to your Web.xml file:
<servlet>
<servlet-name>rtservlet</servlet-name>
<servlet-class>com.thalesgroup.javadfprt.rtservlet</servlet-class>
<load-on-startup>0</load-on-startup>
</servlet>
4.Pack the WAR file, switch to the SampleWar project directory, and enter the command:
jar cvf SampleWar.war
Deploy and Execute the Protected Application
1.Copy the protected Java DFP runtime library to the server's bin directory, for example: tomcat/bin.
2.Copy SampleWar.war to the Web Server’s deployment directory, for example: tomcat/webapps.
3.When using the Java Agent mode:
a.Copy the java agent file (sntljavadfpagent.jar) to the application server’s bin directory, for example:
b.Create and modify setenv.sh in the application server’s bin directory (for example: tomcat/bin) with the following content:
CATALINA_OPTS="-javaagent:sntljavadfpagent.jar=appCode=10000"
4.Connect a Sentinel protection key with the appropriate Batch Code and Feature ID.
5.Start the Web Server.