First of all, thanks for the feedback. I'm glad you think it's a good idea.
So as a follow up: what do you I'm looking for your opinions on the best strategy for coming up with the best default list of blacklisted JARs. In other words, JARs that are NEVER ok to have in your deployment.
I need to:
a) how to check to see if a JAR has been blacklisted.
b) getting a list of blacklisted JARs
My ideas for (a):
- Collect store a SHA1 checksum for all blacklisted JARs and store in text file conf/blacklist.properties. Load the checksum list as a dictionary during server startup. Validate SHA1 checksum for JARs deployed to verify none match a blacklisted JAR from the dictionary.
- Just store the MANIFEST.MF for all blacklisted JARs in a special directory within conf/blacklisted-jar-manifests. During deployment, check all JAR manifests don't match a blacklisted one.
- Instead of blacklisting JARs, blacklist certain Classes that if found in any JAR within your deployment will cause the warning. ----> This is the one I'm leaning towards.
My ideas for (b):
List of all JBoss system JARs:
From AS7+: Blacklist some or all JARs from modules\org\jboss
For AS4-6: Blacklist all JARs in client/jboss*.jar, server/default/lib/jboss*.jar, and server/all/lib/jboss*.jar
That is a good default list for now.
Any ideas on this?