Discussion:
[jboss-user] [JBoss Microcontainer] - Encrypted class loading with jboss 5.1
Irfan Basha
2013-02-08 09:44:53 UTC
Permalink
Irfan Basha [https://community.jboss.org/people/irbash] created the discussion

"Encrypted class loading with jboss 5.1"

To view the discussion, visit: https://community.jboss.org/message/796705#796705

--------------------------------------------------------------
Hello All,

We are using http://www.coderanch.com/forums/f-63/JBoss?OWASP_CSRFTOKEN=644T-1D3Y-OILF-5XV7-1OVN-NFDA-XYE7-7FX3 jboss 5.1 to deploy our application. Now we want to secure our .class files, so we are trying to encrypt the .class files.
but once we use encrypted .class files, jboss throws error (rather warnings saying
WARN [org.jboss.detailed.classloader.ClassLoaderManager] (main) Unexpected error during load of:xxx.xxx.UserController
http://docs.oracle.com/javase/7/docs/api/java/lang/ClassFormatError.html java.lang.ClassFormatError: Unknown constant tag 80 in class file xxx/xxx/UserController)

To solve this issue, I got the source of jboss-classloader.jar (This jar is in /lib folder of jboss), and I saw that the class BaseClaseLoader is the class which finally calls jvm's classloader.
Hence I changed the code of BaseClassLoader's loadClassLocally method, and decrypted the class before it calls jvm's classloader. And it worked.

Now I dont want to modify jboss's source code hence I am looking for a way to do this without modifying the jboss libraries. I was going through http://java.dzone.com/articles/jboss-microcontainer-classloading http://java.dzone.com/articles/jboss-microcontainer-classloading and I feel it is possible to load encrypted classes into jboss by creating custom ClassLoaderPolicy. I tried a lot to do this, but I am not able to get it working.

Can some one tell me how I can add a custom class loader to jboss 5.1 which can decrypt the .class files before loading it.

Thanks,
Irfan
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/796705#796705]

Start a new discussion in JBoss Microcontainer at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2114]
Ales Justin
2013-02-09 21:46:13 UTC
Permalink
Ales Justin [https://community.jboss.org/people/alesj] created the discussion

"Re: Encrypted class loading with jboss 5.1"

To view the discussion, visit: https://community.jboss.org/message/796903#796903

--------------------------------------------------------------
Post by Irfan Basha
Now I dont want to modify jboss's source code hence I am looking for a way to do this without modifying the jboss libraries. I was going through http://java.dzone.com/articles/jboss-microcontainer-classloading http://java.dzone.com/articles/jboss-microcontainer-classloading and I feel it is possible to load encrypted classes into jboss by creating custom ClassLoaderPolicy. I tried a lot to do this, but I am not able to get it working.
Imo, this is the right way to do it.
What's the issue -- to not be able to make it work?

Or you can start-up AS with agent, in where you register ClassFileTransformer.

Also, I know I added ClassFileTransformer per ClassLoader, just dunno if this already made it into AS5.1.
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/796903#796903]

Start a new discussion in JBoss Microcontainer at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2114]
Irfan Basha
2013-02-11 07:30:35 UTC
Permalink
Irfan Basha [https://community.jboss.org/people/irbash] created the discussion

"Re: Encrypted class loading with jboss 5.1"

To view the discussion, visit: https://community.jboss.org/message/796978#796978

--------------------------------------------------------------
Hi Ales,

Thanks for the reply.

*What I mean by not able to make it work is:*
I downloaded the complete demo from the svn, and I build it (only the classloader since I need only that) with ant script (not the pom maven), and after this I have a jar *(*jboss-demo-classloader.jar: with . crypt-beans.xml, regexp-beans.xml, bootstrap-beans.xml and cl-describe.xml in META-INF folder. I also took care of Main.java which is reference from ClassLoaderMain.java*)*

After this I don't know how to use this jar... I placed it in deploy folder hoping that it will be loaded but it dint. I tried placing it in /lib folder of jboss along with the jboss-classloader.jar and that dint work as well. I probably might be doing some simple mistake (or rather might be completely wrong) and I am stuck here.

If I understand it right (Please correct me if I am wrong), after I build this jar from the demo source the jboss has to use the two new classloaderpolicy's (depending on which one we mention in Main.setSystemProperty of ClassLoaderMain:
+public class ClassLoaderMain+
+{+
+   public static void main(String[] args)+
+   {+
+      Main.setSystemProperty("demos.cl.policy", "regexp", false); // default CL policy+


+      Map<String, String> map = Collections.singletonMap(Main.CL_DESCRIBE, "C:/Users/irfan/workspace/jboss-classloader/META-INF/${demos.cl.policy}-beans.xml");+
+      Main.main(args, map);+
+   }+
+}+

Please let me know what I am doing wrong. Am I doing something wrong in creating jar ? Or am I doing something wrong in placing the four xml's in META-INF ? or is there something else which I should do ?

Thanks,
Irfan
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/796978#796978]

Start a new discussion in JBoss Microcontainer at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2114]
Ales Justin
2013-02-11 09:32:48 UTC
Permalink
Ales Justin [https://community.jboss.org/people/alesj] created the discussion

"Re: Encrypted class loading with jboss 5.1"

To view the discussion, visit: https://community.jboss.org/message/797006#797006

--------------------------------------------------------------
The main and (only) thing that you need to do is this deployer:
* http://anonsvn.jboss.org/repos/jbossas/projects/demos/microcontainer/trunk/classloader/src/main/java/org/jboss/demos/classloader/deployers/DecrypterClassLoaderPolicyModule.java http://anonsvn.jboss.org/repos/jbossas/projects/demos/microcontainer/trunk/classloader/src/main/java/org/jboss/demos/classloader/deployers/DecrypterClassLoaderPolicyModule.java

As you can see, we change the CL policy to CrypterClassLoaderPolicy.

Or the commented code, where we just add translator to policy.
This is a better / easier way, but I need to check if this is already available in AS5.1.

I also added a way to do this declarative, via xml, but I really doubt this one is in AS5.1,
meaning you're definitely have to do it via adding a custom deployer.
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/797006#797006]

Start a new discussion in JBoss Microcontainer at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2114]
Ales Justin
2013-02-11 09:39:40 UTC
Permalink
Ales Justin [https://community.jboss.org/people/alesj] created the discussion

"Re: Encrypted class loading with jboss 5.1"

To view the discussion, visit: https://community.jboss.org/message/797007#797007

--------------------------------------------------------------
Post by Ales Justin
Or the commented code, where we just add translator to policy.
This is a better / easier way, but I need to check if this is already available in AS5.1.
This is already available in 2.0.5:
* http://anonsvn.jboss.org/repos/jbossas/projects/jboss-cl/tags/2.0.5.GA/classloader/src/main/java/org/jboss/classloader/spi/base/BaseClassLoaderPolicy.java http://anonsvn.jboss.org/repos/jbossas/projects/jboss-cl/tags/2.0.5.GA/classloader/src/main/java/org/jboss/classloader/spi/base/BaseClassLoaderPolicy.java
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/797007#797007]

Start a new discussion in JBoss Microcontainer at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2114]
Ales Justin
2013-02-11 09:48:42 UTC
Permalink
Ales Justin [https://community.jboss.org/people/alesj] created the discussion

"Re: Encrypted class loading with jboss 5.1"

To view the discussion, visit: https://community.jboss.org/message/797008#797008

--------------------------------------------------------------
Post by Ales Justin
I also added a way to do this declarative, via xml, but I really doubt this one is in AS5.1,
meaning you're definitely have to do it via adding a custom deployer.
Yup, this one is not in 2.0.x, only in 2.2.x, which is not fully compatible with AS5.x, only with AS6.
* http://anonsvn.jboss.org/repos/jbossas/projects/jboss-deployers/trunk/deployers-impl/src/main/java/org/jboss/deployers/plugins/classloading/AbstractTranslatorsDeployer.java http://anonsvn.jboss.org/repos/jbossas/projects/jboss-deployers/trunk/deployers-impl/src/main/java/org/jboss/deployers/plugins/classloading/AbstractTranslatorsDeployer.java
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/797008#797008]

Start a new discussion in JBoss Microcontainer at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2114]
Irfan Basha
2013-02-11 13:40:48 UTC
Permalink
Irfan Basha [https://community.jboss.org/people/irbash] created the discussion

"Re: Encrypted class loading with jboss 5.1"

To view the discussion, visit: https://community.jboss.org/message/797048#797048

--------------------------------------------------------------
Dear Ales,

I am confused again... So I have to do the following:
1. Write a ClassLoaderPolicyModule which extends VFSDeploymentClassLoaderPolicyModule and change the CL policy to CrypterClassLoaderPolicy similar to: http://anonsvn.jboss.org/repos/jbossas/projects/demos/microcontainer/trunk/classloader/src/main/java/org/jboss/demos/classloader/deployers/DecrypterClassLoaderPolicyModule.java http://anonsvn.jboss.org/repos/jbossas/projects/demos/microcontainer/trunk/classloader/src/main/java/org/jboss/demos/classloader/deployers/DecrypterClassLoaderPolicyModule.java
2. Write a custom deployer to deploy this classloaderpolicy

Is it correct ? (I am sorry if I am asking too trivial questions)

I didnot understand the better/easier way you mentioned... (the one with BaseClassLoaderPolicy.java)

Thanks,
Irfan
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/797048#797048]

Start a new discussion in JBoss Microcontainer at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2114]
Ales Justin
2013-02-11 14:13:54 UTC
Permalink
Ales Justin [https://community.jboss.org/people/alesj] created the discussion

"Re: Encrypted class loading with jboss 5.1"

To view the discussion, visit: https://community.jboss.org/message/797054#797054

--------------------------------------------------------------
You need 3 things:

(a) custom DecrypyterTranslator

(b) custom ClassLoaderPolicyModule -- similar to DecrypterClassLoaderPolicyModule

But instead of providing full CLPolicy, you simply add translator from (a).

@Override
   protected VFSClassLoaderPolicy determinePolicy()
   {
      VFSClassLoaderPolicy policy = super.determinePolicy();
      policy.addTranslator(new DecrypterTranslator(decrypter));
      return policy;
   }

(c) custom deployer which creates DecrypterClassLoaderPolicyModule

* http://anonsvn.jboss.org/repos/jbossas/projects/demos/microcontainer/trunk/classloader/src/main/java/org/jboss/demos/classloader/deployers/DecrypterClassLoaderDescribeDeployer.java http://anonsvn.jboss.org/repos/jbossas/projects/demos/microcontainer/trunk/classloader/src/main/java/org/jboss/demos/classloader/deployers/DecrypterClassLoaderDescribeDeployer.java
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/797054#797054]

Start a new discussion in JBoss Microcontainer at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2114]
Irfan Basha
2013-02-11 14:16:42 UTC
Permalink
Irfan Basha [https://community.jboss.org/people/irbash] created the discussion

"Re: Encrypted class loading with jboss 5.1"

To view the discussion, visit: https://community.jboss.org/message/797056#797056

--------------------------------------------------------------
Hi Ales,

Thanks for your reply. I'll try the steps you mentioned.

Regards,
Irfan
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/797056#797056]

Start a new discussion in JBoss Microcontainer at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2114]
Ales Justin
2013-02-11 14:23:27 UTC
Permalink
Ales Justin [https://community.jboss.org/people/alesj] created the discussion

"Re: Encrypted class loading with jboss 5.1"

To view the discussion, visit: https://community.jboss.org/message/797060#797060

--------------------------------------------------------------
Like I said, the problem is that you have to modify AS instance / distribution -- adding this 3 custom classes + some config.
I only realized this is very useful in AS6+, to be done configurable.
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/797060#797060]

Start a new discussion in JBoss Microcontainer at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2114]
Irfan Basha
2013-02-11 14:34:58 UTC
Permalink
Irfan Basha [https://community.jboss.org/people/irbash] created the discussion

"Re: Encrypted class loading with jboss 5.1"

To view the discussion, visit: https://community.jboss.org/message/797063#797063

--------------------------------------------------------------
These 3 custom classes will be a seperate jar isnt it ?
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/797063#797063]

Start a new discussion in JBoss Microcontainer at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2114]
Ales Justin
2013-02-11 14:58:21 UTC
Permalink
Ales Justin [https://community.jboss.org/people/alesj] created the discussion

"Re: Encrypted class loading with jboss 5.1"

To view the discussion, visit: https://community.jboss.org/message/797069#797069

--------------------------------------------------------------
Post by Irfan Basha
These 3 custom classes will be a seperate jar isnt it ?
Yes.

Plus you need to register this new deployer against current AS deployers.

But that is trivial to do -- simply create a MC bean / pojo from it,
and AS will pick it up automagically. :-)
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/797069#797069]

Start a new discussion in JBoss Microcontainer at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2114]
Loading...