Hello all,
I'm developing a client (Swing-based) software which allows to send/receive files from
a JBoss AS central repository, using the JBossWS web service implementation. The JBossWS
version we use is the one that is bundled within the JBoss AS version, in order to ensure
compatibility.
To allow this communication, our swing-based client software is going to be released with
the required JBossWS client jars (taken from the JBossAS distribution). For now, we plan
to put those JBossWS jars in a "lib" folder, placed directly under the client
software's root folder. The rest of the client's code (the "proprietary"
part) will be obfuscated.
My question is : in your opinion, should the JBossWS client jars be protected through the
same obfuscation mecanism, in order to ensure maximum security ? And BTW, does JBoss
authorize such mecanism for the jars/sources they deliver ?
I tried to found related questions on this forum and on the web, but found none. Actually,
we are affraid one could override the endpoint's adress by switching the original
JBossWS client jars placed in the "lib" folder, in order to obtain the
sent/received files from the remote AS.
We are already securing the communication through HTTPS transport, signature and
encryption. However, the client keystore providing the security configuration is not going
to be part of the obfuscation process, as it has to be specific per customer (please note
that the JBoss AS install is specific per customer too, and so each client specific
keystore is associated to a server specific keystore). We believe one could change this
client keystore, create a fake endpoint with a new server keystore, and redirect traffic
to this fake endpoint by changing the JBossWS client jars. But maybe are we being a bit
paranoiac ?
Our configuration :
- JDK 5
- JBoss AS 4.2.3 with JBossWS native 3.0.1
Any opinion about this point would be appreciated.
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4236956#...
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...