Now most of the J2EE programs have no good protection, very traditional ways is to confuse compilation, but if they use confusion, it may cause the code in the JSP to run normally.
In fact, there is a good way to use custom ClassLoader to load some key classes. If you use custom ClassLoad to load classes, you can encrypt the critical classes after decryption.
If there is only such a vulnerability, it is customized ClassLoader without encryption. If ClassLoader is compiled, it may get your class. The first step is to make it in vain. Is there a good way to solve this problem? In fact, it is also to modify Java.exe, which controls Java.exe load custom ClassLoader specific approach to refer to how to effectively protect Java programs.
There is also a problem that in Tomcat, WebLogic, WebSphere and other application servers can guarantee that they use custom ClassLoader to Load I encrypted class? General application servers are not available to this external ClassLoader. To solve this problem is to use Factory Design Mode, Interface, Implementation Class Class. When you get an interface in the factory class, you don't have to directly New, but first call an instantiated custom ClassLoader, then call the custom ClassLoader LOAD method. Mount class.
The program code segment is as follows:
//Myclassloader.javaPackage com.test.classload;
import java.util.jar *;. import java.io *;. public final class MyClassLoader extends ClassLoader {private static JarFile jar = null; public MyClassLoader () {} public Class findClass (String name) throws java.lang.ClassNotFoundException { Class Clasz = NULL; CLASZ = FindloadedClass (Name); if (Clasz! = NULL) {Return Clasz;} if (jar == null) Try {string Dir = system.getProperty ("user.dir"); string filename = Dir file.separator "test.jar"; jar = new jarfile (filename);} catch (ooException ex) {throw new classnotfoundexception (name);} String classname = name.replace ('.', '/') Classname = classname ".class"; jarentry entry = jar.getjarentry (classname); try {inputstream is = jar.GetinputStream (entry); int Len = is.available (); byte [] CLS = New Byte [LEN ]; Is.Read (CLS, 0, LEN); CLASZ = DefineClass (Name, CLS, 0, LEN); if (clasz == null) {clasz = findSystemClass (name);}} catch (IOException ex) {throw new ClassNotFoundException (name);} return clasz;}} //MyClassLoader.javapackage com.test.classload; import java. util.jar *;. import java.io *;. public final class MyClassLoader extends ClassLoader {private static JarFile jar = null; public MyClassLoader () {} public class findClass (String name) throws java.lang.ClassNotFoundException {class clasz = NULL; CLASZ = FindloadedClass (Name); if (Clasz! = null) {Return Clasz;