Protecting Java Applications that Use Reflection

This topic demonstrates how to protect and distribute Java applications that use reflection.

The following topics are described:

>Protect the Class Files for Your Application

>Prepare the Protected Application for Distribution

>Deploy and Execute the Protected Application

Required Files

Files for the Sentinel Java Data File Protection runtime library (referred to below as the Java DFP runtime library) can be found on the machine where Sentinel Vendor Suite is installed, under the following directory:

%ProgramFiles(x86)%\Thales\Sentinel LDK\Samples\Envelope\Java

The following directories are included:

servlet	Contains the rtservlet source file.
runtime	Contains the Java DFP runtime library (DLL or shared libraries). This will be protected with Sentinel LDK Envelope and Sentinel LDK Data Protection utility using the Version 2 protection mode.
agent	Contains the Java DFP agent (sntljavadfpagent.jar)

Protect the Java DFP Runtime Library

NOTE You only need to perform this procedure once. The protected Java DFP runtime library can be used for all applications that are protected using the same Batch Code.

The Intel 32-bit and 64-bit versions of the Java DFP runtime library are located in:

%ProgramFiles(x86)%\Thales\Sentinel LDK\Samples\Envelope\Java\runtime

Use Envelope to protect the required version of the Java DFP runtime library. (Envelope will identify and protect the library as a Windows program. This is the expected behavior.) On the General tab, be sure to select Enable data file protection. Ensure that Version 2 is displayed.

Protect the Class Files for Your Application

Before You Begin

1.Select the Feature ID that you will use below to protect class files. Make sure that you include this Feature ID in the protection key that you provide to your customers.

2.Extract the web application archive.

For example: jar -xvf SampleWar.war

SampleWar represents the application to be protected.

Use dfcrypt to Protect the Class Files

You must protect the class files for your application before each build.

dfcrypt is a command-line utility that you can use to protect the class files for your application. Set up the dfcrypt commands in a batch procedure that will be run as required before each build.

For example:

dfcrypt -v:2 -c:demoma.hvc -f:25 classes classes_protected

This command encrypts all the files in a directory called classes using the specified Vendor Codes file. Feature ID 25 is used to license each file. The encrypted files are written to the classes_protected directory.

For more information, see the description of dfcrypt in the Sentinel LDK Software Protection and Licensing Guide (for Sentinel EMS or Sentinel LDK-EMS).

Prepare the Protected Application for Distribution

You prepare the protected application for distribution using one of the following modes due to different entry point servlet configurations:

>Java Agent Mode

Use this mode when your application’s web.xml contains servlet elements and the servlet-class was encrypted.

>Servlet Mode

Use this mode for better and easier deployment.

Each mode is described below.

Java Agent Mode

1.Locate and replace all unencrypted classes in the SampleWar directory with the encrypted classes. All class names and locations should remain unchanged.

2.Pack the WAR file, switch to the SampleWar project directory, and enter the command:

jar cvf SampleWar.war

Servet Mode

1.Locate and replace all unencrypted classes in the SampleWar directory with the encrypted classes. All class names and locations should remain unchanged.

2.Copy the entire directory from

%ProgramFiles(x86)%\Thales\Sentinel LDK\Samples\Envelope\Java\com

SampleWar/WEB-INF/classes/

For example, a target location is: SampleWar/WEB-INF/classes/com/thalesgroup/javadfprt/rtservlet.class

3.Add the Sentinel servlet entry to your Web.xml file:

<servlet>
    <servlet-name>rtservlet</servlet-name>
    <servlet-class>com.thalesgroup.javadfprt.rtservlet</servlet-class>
    <load-on-startup>0</load-on-startup>
</servlet>

4.Pack the WAR file, switch to the SampleWar project directory, and enter the command:

jar cvf SampleWar.war

Deploy and Execute the Protected Application

1.Copy the protected Java DFP runtime library to the server's bin directory, for example: tomcat\bin.

2.Copy SampleWar.war to the Web Server’s deployment directory, for example: tomcat\webapps.

3.When using the Java Agent mode:

a.Copy the java agent file (sntljavadfpagent.jar) to the application server’s bin directory, for example: tomcat\bin

b.Create and modify setenv.bat in the application server’s bin directory (for example: tomcat\bin) with the following content:

set CATALINA_OPTS="-javaagent:sntljavadfpagent.jar=appCode=10000"

4.Connect a Sentinel protection key with the appropriate Batch Code and Feature ID.

5.Start the Web Server.