Results 1 to 13 of 13

Thread: ear security

  1. #1
    GEqui is offline Member
    Join Date
    Jul 2012
    Posts
    7
    Rep Power
    0

    Default ear security

    Hello All,

    i have been trying to find all day long a way to secure my .ear file from modifications made by third parties...
    My product is packaged as an .ear file which i send for deployment to other administrators. What i am looking for is a way to "sign" my version of .ear versus the deployed version of .ear to be sure that no modification has been mafe to my code... Anybody knowing any tool that provides that kind of functionality would be very helpful!

    Thanx

  2. #2
    doWhile is offline Moderator
    Join Date
    Jul 2010
    Location
    California
    Posts
    1,642
    Rep Power
    7

    Default Re: ear security

    Please do not duplicate posts - your other thread has been removed.

  3. #3
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    11,755
    Rep Power
    19

    Default Re: ear security

    Not sure I've heard of anything like that, but would producing an SHA/MD5 hash be sufficient for you?
    Please do not ask for code as refusal often offends.

    ** This space for rent **

  4. #4
    GEqui is offline Member
    Join Date
    Jul 2012
    Posts
    7
    Rep Power
    0

    Default Re: ear security

    Thanx for the reply..
    Is there any available tool providing this kind of functionality for .ear files or should i impement it by myself?(proposed technology used?)

  5. #5
    GEqui is offline Member
    Join Date
    Jul 2012
    Posts
    7
    Rep Power
    0

    Default Re: ear security

    Could a password protected .ear file be the solution? Or would there be a problem when deploying it to the application server?

  6. #6
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    11,755
    Rep Power
    19

    Default Re: ear security

    No idea I'm afraid.
    I doubt password protecting would work, as you say, I think it would bugger up deployment.

    Why are you concerned about someone making some changes to your unzipped ear?
    Please do not ask for code as refusal often offends.

    ** This space for rent **

  7. #7
    GEqui is offline Member
    Join Date
    Jul 2012
    Posts
    7
    Rep Power
    0

    Default Re: ear security

    Ok found a tool to calculate the .ear checksum..
    Now i have to somehow tell the websphere that is should only accept the specific checksum for my .ear file and exclude any other...
    Any ideas how to do this?

  8. #8
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    11,755
    Rep Power
    19

    Default Re: ear security

    No idea I'm afraid, especially since you aren't the one doing the deploying.
    I'm still not entirely sure why you're concerned about someone changing the ear.
    Please do not ask for code as refusal often offends.

    ** This space for rent **

  9. #9
    GEqui is offline Member
    Join Date
    Jul 2012
    Posts
    7
    Rep Power
    0

    Default Re: ear security

    The contents of ear could change because of malicious actions or even by virus infected environment of the deployer..
    All these would lead to an unsuccessfull deployment which i ll have to cope with...

  10. #10
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    11,755
    Rep Power
    19

    Default Re: ear security

    But then you'd have to monitor the ear all the time.
    Hashing wouldn't be a solution in that case as it's not a speedy thing and you'd need to rehash regularly to monitor the state of the deployment.
    The EAR is just an archive, which may or may not be unzipped onto the server, after which you don't really have much control over what happens.
    I was thinking solely in terms of checking at deployment that the EAR matched the given SHA/MD5.
    Please do not ask for code as refusal often offends.

    ** This space for rent **

  11. #11
    GEqui is offline Member
    Join Date
    Jul 2012
    Posts
    7
    Rep Power
    0

    Default Re: ear security

    Actually what i was looking for was a way to "tell" the websphere server:
    Thats the checksup of my deploeyed .ear file... If this checksum changes stop running,because it was not supposed to change..

    .ear file contents are not extracted, .ear file is deployed as is on the ws Server

  12. #12
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    11,755
    Rep Power
    19

    Default Re: ear security

    You'd need a process outside of websphere to do the checksum processing.
    Except the ear is flexible isn't it once deployed?
    Aren't some of the attributes editable from the websphere control panel?
    It's been 2 or 3 years since I had that as a target platform, so I might be misremembering.
    Please do not ask for code as refusal often offends.

    ** This space for rent **

  13. #13
    GEqui is offline Member
    Join Date
    Jul 2012
    Posts
    7
    Rep Power
    0

    Default Re: ear security

    Havent found anything from websphere documentation.. The only thing provided is a way to sign your .jar files but only when they are distributed to a number of clients(which will want to verify that they have the correct .jar version) .

    Still looking for a way to lock the .ear modification build on websphere server level..

Similar Threads

  1. Security Exception
    By kedinik in forum Java Applets
    Replies: 6
    Last Post: 02-10-2011, 02:20 AM
  2. security
    By danghieu in forum New To Java
    Replies: 3
    Last Post: 04-26-2010, 07:24 PM
  3. Security
    By manticohd in forum Reviews / Advertising
    Replies: 1
    Last Post: 02-03-2010, 08:17 AM
  4. Java security
    By Zosden in forum Java Applets
    Replies: 43
    Last Post: 08-02-2008, 02:10 PM
  5. Replies: 1
    Last Post: 07-23-2007, 11:59 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •