Solution for Protecting Cocoon Apps

[Jörn Heid <he...@fh-heilbronn.de>]

Background:
If you want to gíve customers your application (e.g. for a demo,
proof-of-concept, discussion) you habe to include source code, everybody can
see as plain text. If one of your customer has evil intensions he can look
at all interna of your application, e.g. XSL-stylesheets, SVG data, the
sitemap or XML files with private data.

Idea:
Protect some files from read directly from the file system. When running
Cocoon, it should decrypt those files without having to change any code of
the Java apps (Cocoon, Tomcat, Jetty, whatever).

Solution:
To do so, you can replace the java.io.FileInputStream class with one you can
easily extend. E.g. via looking for the file extension and if it's ".xmap"
decrypt the file. You can easily crypt those files before building the demo.
The problem is that java.io.FileInputStream uses native methods so that you
cannot change the file directly. But you can write your own
WrappedFileInputStream which uses it's own native methods. The shared
library acts like a wrapper, so calling "WrappedFileInputStream.open()"
will forward the call to "FileInputStream.open()". If you've done that, your
own FileInputStream can extend WrappedFileInputStream and decrypt files as
needed. You can then use -Xbootclasspath to replace the JDK's
FileInputStream with your version.

I've done so with Jetty, Cocoon, J2SE 1.4.2 on Win32 and it worked.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org