Java Client .class File Protection
- by Zac
I am in the requirements phase of building a JEE application that will most likely run on a GlassFish/JBoss backend (doesn't matter for now). I know I shouldn't be thinking about architecture at requirements time, but one can't help but start to imagine how the components would all snap together :-)
Here are some hard, non-flexible requirements on the client-side:
(1) The client application will be a Swing box
(2) The client is free to download, but will use a subscription model (thus requiring a login mechanism with server-side authentication/authorization, etc.)
(3) Yes, Java is the best platform solution for the problem at hand for reasons outside the scope of this post
(4) The client-side .class files need safeguarding against decompiling
That last (4th) requirement is the basis of this post.
I'm not really worried about someone actually decompiling and getting at my source code: in the end, it's just Swing controls driven by some lightweight business logic.
I'm worried about a scenario where someone decompiles my code, modifies it to exploit/attack the server, re-compiles, and fires it up.
I've envisioned all sorts of nasty solutions, but didn't know if this was a common problem with a common solution for JEE developers. Any thoughts?
Not interested in "code obfuscation" techniques!
Thanks for any input!