Design of Java encryption and licence control

Encryption | control | design

1. Copyright Notice

This article is a description of how to load the encrypted class file with the serial number. The resin Hessian mentioned herein is the registered product name of Caucho Company and its copyright is Caucho all. This article can be reproduced, but must indicate the author's blog address: Http://blog.csdn.net/oldjavaman

2. The applicable object of this article

As a technician, the technical details of this article are related to the basics of the Java language, you should know the Java dynamic loading class before reading the mechanism, as well as the general knowledge of Java encryption, and this article assumes that you have the basic ability to develop the web, Learn about the process of JSP and servlet operation.

3. How to Read

You can download the jar file and the Encryption tool Http://www.collegesoft.com.cn/download/licenceClient_1.0.3.jar encryption tool used in this article at the following address: http:// Www.collegesoft.com.cn/download/encryption.exe about the generation of serial numbers, in view of the protection of the company's products are no longer publicly released, interested colleagues can use mail and I exchange.

4. Overview

4.1. The reason for encrypting Java source code

The Java source code is compiled and executed in the JVM. Because the JVM interface is completely transparent, Java class files can easily be converted back into source code through the reverse compiler. So, all the algorithms, class files can be disclosed in the form of source code, so that the software can not be protected, in order to protect property rights, generally can have the following methods: (1) "Fuzzy" class file, the file name and method for 000OOoo, of course, as long as you have enough patience, 　　It's not difficult to convert these codes into code that you can read. (2) Popular encryption tools encrypt source files, such as PGP (Pretty Good Privacy) or GPG (GNU privacy Guard). At this point, the end user must decrypt before running the application. 　　But after the decryption, the end user has a unencrypted class file, which is no different from the prior encryption. (3) Encrypt class file, in run JVM Use custom class loader (class Loader) to decrypt class file. The mechanism of Java running fashion into bytecode implicitly means that bytecode can be modified. Each time the JVM loads a class file, it needs an object called ClassLoader, which is responsible for loading the new class into the running JVM. 　　The JVM gives ClassLoader a string containing the name of the class to be loaded (for example, Java.lang.Object), and then the ClassLoader is responsible for finding the class file, loading the raw data, and converting it into a class object. The user downloads the encrypted class file and decrypts it as it is loaded, so it can be viewed as an instant decryption device.  　　Since the decrypted bytecode file will never be saved to the file system, it is difficult for the spy to get the decrypted code. Since the process of converting raw bytecode into class objects is entirely system-specific, it is not difficult to create custom ClassLoader objects, with the original data first, and any transformations that include decryption.

4.2. Java cryptographic System and Java password extensions

The Java Cryptographic System (JCA) and Java Password Extensions (JCE) are designed to provide Java with an implementation-independent cryptographic function API. They all use the factory method to create routines for the class, the actual cryptographic function is then delegated to the underlying engine specified by the provider, which provides a service provider interface for the class to encrypt/decrypt the data in Java and is implemented using its built-in JCE (Java encryption extension). The Java cryptography Architecture supports vendor interoperability while supporting hardware and software implementations.

4.3. The approach used in this article

We used a third way to encrypt the class file as a release of the product, but in order for the encryption to be used in different projects, the decryption process was made into a webservice way.

5. Basic Design Idea

This process can be divided into 5 parts:

1 The encrypted class file is passed into the WebService. 2 WebService to view licence is inside, whether there is legal information, such as product name, version, authorized user, has expired time, etc., have this decision whether to continue the implementation of step 3rd 3) If all validation passes, will be returned by webservice a decrypted file 4 by the local webservice to load this class object, 5 to construct into a class of instance

6. That file should be encrypted.

In the past, the attempt to encrypt their own APIs, but as the API itself within the company distribution, which requires each of us to write code programmer must be a licence to do normal work, for the API upgrades and maintenance also bring great inconvenience, why?   Because the API cannot be published as a jar, it can only be published in class. So. What are we supposed to encrypt? When we design a Web program, the general process is that login then records his identity in the session or cookie, such as what kind of user she is, a student or a teacher or an administrator, and we want to record what permissions he has, and what is the scope of each permission? Then this process we generally in the user login, and the database after the connection to do, this is a complex logic operation process, encryption This method is a good idea, so malicious users, even if all the other class files with Jad to restore, also useless, Unless he can guess what you did when you were in login.

7. How to encrypt your own Java files

7.2. Encryption of files

Encrypt our files, we are using JCE algorithm to carry out, the specific encryption implementation, I no longer narrate, in Google, you can get more than n articles in the description of the use of this jce, for our files, has provided a Windows EXE program to come to the line, This file is called Encryption.exe. You can encrypt your files using the following command

C:> Encryption–encrypto Myclass.class

So you can make your files into Jad and other tools can not decompile the file.

8. Product information obtained from Licencecenter

Whether you add a course or create a new user, you may have a requirement, how do I know what kind of information my product authorizes to this user, and whether he is allowed to build another course or add a client? We provide the jar inside to solve your confusion: the code is as follows

Licencefactory licencefactory=new licencefactory (); Licencefactory.getlicence ("Urproductname");

If the product does not register a serial number in the validation center, it returns null;

9. What configuration should be added to the program

In Licenceclient, the system needs to read the Licencecenter address, when your Web application is published, you must write the WebService address as an environment variable and add a code to the Web.xml:

<env-entry> <env-entry-name>licence_service_url</env-entry-name> <env -entry-value>http://192.168.2.212:8080/licencecenter/licenceservice</env-entry-value> <env-entry- Type>java.lang.string</env-entry-type> </env-entry>

You can place the Red section on your Web server, assuming you see the following interface, indicating that the validation center has been successfully installed

10. About the installation of the verification Center

The installation files for the validation center are licenceservice1.0.1.zip in your operating system and unzipped in a directory. Configure an application in your Java Web server, such as: Licencecenter take resin as an example: Add code to httpd.conf:

<web-app id= "Demo" app-dir= "E:/licencescenter/webapp" > <servlet-mapping url-pattern= ' * . jsp ' servlet-name= ' Com.caucho.jsp.JspServlet '/> </web-app>

The Web.xml file in your application must contain

<servlet servlet-name= "Licenceservice" servlet-class= "Com.caucho.hessian.server.HessianServlet" > <init-p Aram service-class= "Com.collegesoft.licence.LicenceService"/> <init-param api-class= " Com.collegesoft.licence.LicenceServiceStub "/> </servlet> <servlet-mapping url-pattern=" Licenceservice "servlet-name=" Licenceservice "/>

11. Frequently Asked Questions

Q: Why not directly in the WebService load a class, but to the client to use ClassLoader to load? A: A lot of programmers have asked me this question, in fact it is very simple, if you know the ClassLoader mechanism, you know that if you expand the login instance to use your other object, such as Onlineuser, then in the WebService to load your class, I have to have your class, but WebService is not sure what kind of class you are going to use in the future. Q: Why on the Redhat9, access to the verification center will appear in Chinese garbled problem? A: It is because the default character set for Redhat9 is not GBK. General use will command export LANG=ZH_CN. GBK is added to the Resin service startup file.