1. Copyright Disclaimer this article describes how to use serial numbers to load encrypted class files. The resin Hessian mentioned in this article is the registered product name of Caucho, which is owned by Caucho. This article can be reproduced, but must indicate the author's blog address: http://blog.csdn.net/oldjavaman2. this article applies to technical personnel. The technical details of this article involve the basic knowledge of the Java language. Before reading this article, you should understand the mechanism of dynamically loading classes in Java, and general knowledge about Java encryption. At the same time, this article assumes that you have the basic web development capabilities to understand the operation process of JSP and servlet. 3. you can download the JAR file and the encryption tool secret used in this article at the following address. In view of the protection of the company's products, it will not be publicly published, if you are interested, you can use mail to communicate with me. 4. Overview 4.1. Reasons for encrypting Java source code is compiled and executed in JVM. Because the JVM interface is completely transparent, Java class files can be easily converted to source code through the Anti-compiler. Therefore, all algorithms and class files can be made public in the form of source code, so that the software cannot be protected. To protect the property rights, there are generally the following methods: (1) "fuzzy" class file, replace the file name and method with 000oooo. Of course, it is not difficult to convert these codes into codes that you can understand as long as you have enough patience. (2) Popular encryption tools encrypt source files, such as PGP (pretty good privacy) or GPG (GNU Privacy Guard ). In this case, the end user must decrypt the application before running it. However, after decryption, the end user has a non-encrypted class file, which is no different from the pre-encryption. (3) encrypt class files. During running, JVM uses a custom class loader to decrypt class files. The mechanism of importing bytecode to Java runtime implies that the bytecode can be modified. Every time the JVM loads a class file, it needs an object called classloader, which loads the new class into the running JVM. JVM provides classloader with a class to be loaded (for example, Java. lang. object) Name string, then the classloader is responsible for finding the class file, loading the original data, and converting it into a class object. The user downloads encrypted class files and decrypts them when they are loaded. Therefore, they can be seen as an instant encryptor. Since the decrypted bytecode file will never be stored in the file system, it is difficult for the hacker to obtain the decrypted code. Because the system is fully responsible for converting the original bytecode into a class object, it is not difficult to create a custom classloader object. You only need to obtain the original data first, then, you can perform any conversions including decryption. 4.2. Java password system and Java password extension Java password system (JCA) and Java password extension (JCE) are designed to provide Java with encryption function APIs unrelated to implementation. They use the factory method to create class routines, and then delegate the actual encryption function to the underlying engine specified by the provider, the engine provides a service provider interface for classes to encrypt/decrypt data in Java, which is implemented using its built-in JCE (Java encryption extension. The Java cryptographic architecture supports vendor interoperability and hardware and software implementation. 4.3. this document uses the third method to encrypt the class file as the product release version. However, in order to enable this encryption method to be used in different projects, the decryption process is made into WebService. 5. basic Design Ideas
This process can be divided into five parts:
1) Pass the encrypted class file to WebService. 2) check whether the licence contains legal information, such as the product name, version, authorized user, and expiration time, this determines whether to continue with Step 3. If all verification passes, a decrypted file will be returned by WebService. 4) the class object will be loaded by the local WebService. 5) construct an instance of Class 6. the file should have been encrypted before, and tried to encrypt its own API, but as the API itself is released within the company, this requires that each of our programmer must have a licence to compile the code, which brings great inconvenience to API upgrade and maintenance. Why? Because the API cannot be published as a jar and can only be published as a class. So what should we encrypt? When we design a web program, the general process is that login then records its identity information in the session or cookie, such as what kind of user she is, it's a student, a teacher, or an administrator. At the same time, we need to record what permissions he has and what scope of operations each permission has? This process is generally performed after the user logs on to the database and connects to the database. This is a complicated logical operation process. The encryption method is a good idea, such a malicious user, it doesn't matter even if you use Jad to restore all other class files, unless he can guess what you did in login. 7. how to encrypt your Java file 7.2. file encryption encrypts our files. We use the JCE algorithm. The specific encryption implementation will not be described again. In Google, you can get more than N Articles to describe the usage of this JCE. For our files, a Windows exeprogram line has been developed. This file is called encryption.exe. You can use the following command to encrypt your files:
C:> encryption-encrypto myclass. Class |
In this way, you can make your files into files that cannot be decompiled by tools such as Jad. 8. no matter whether you add a course or create a new user, you may have a requirement on the product information obtained from licencecenter. How do I know the information that my product authorizes this user, are you allowed to create another course or add another customer? The jar we provide can solve your confusion: the code is as follows:
Licencefactory = new licencefactory (); licencefactory. getlicence ("urproductname "); |
If the product does not have a serial number registered in the verification center, null is returned; 9. the system needs to read the address of licencecenter in the licenceclient. When your web application is published, you must write the WebService address as an environment variable on the web. add a piece of code in XML:
<Env-entry> <env-entry-Name> licence_service_url </env-entry-Name> <env-entry-value> http: // 192.168.2.212: 8080/licencecenter/licenceservice </env-entry-value> <env-entry-type> JAVA. lang. string </env-entry-type> </env-entry> |
You can place the red part on your Web server for access. If you see the following interface, it indicates that the verification center has been installed successfully 10. the installation file of the verification center is licenceservice1.0.1.zip. Unzip it to a directory in your operating system. Configure an application in your Java Web server, for example, licencecenter. Use resin as an example: add the code in httpd. conf:
<Web-app id = "Demo" app-Dir = "E:/licencescenter/webapp"> <servlet-mapping URL-pattern = '*. JSP 'servlet-name = 'com. caucho. JSP. jspservlet '/> </Web-app> |
The Web. xml file in your application must contain
<Servlet-name = "licenceservice" servlet-class = "com. caucho. hessian. server. hessianservlet "> <init-Param service-class =" com. collegesoft. licence. licenceservice "/> <init-Param API-class =" com. collegesoft. licence. licenceservicestub "/> </servlet> <servlet-mapping URL-pattern ="/licenceservice "servlet-name =" licenceservice "/> |
11. FAQs
Q:Why do we not load a class directly in WebService, but use classloader to load it on the client?
A:Many programmers have asked me this question. In fact, it is very simple. If you know the classloader mechanism, you will know that your extended login instance uses another object, such as onlineuser, to load your class in WebService, I must own this class, but WebService does not know what class you will use in the future. Q: Why is Chinese garbled characters in the access verification center on redhat9? A: The default Character Set of redhat9 is not GBK. Add the command export lang = zh_cn.gbk to the resin Service Startup File. 13. with regard to the author oldjavaman, a Java enthusiast who prefers opensouce, he has to rely on it to support his family and cannot implement open-source practices, we hope that one day you can write your favorite programs and enjoy your life.