You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cocoon.apache.org by Jörn Heid <he...@fh-heilbronn.de> on 2003/10/22 09:47:04 UTC

How to protect a Cocoon project

Hello.

I want to give my customer a demo of my Cocoon based application which runs
with Jetty on their local machine.
But the problem is everybody can see the internals of the app. All the
pipelines in sitemap.xmap, all XSL and XML. It can be used to find backdoors
in the sitemap for example.

So the question is, how to protect files from being read directly.

A solution would probably be to encrypt (for example via XOR) all the files.
After that, Cocoon (Jetty) has to be started with modified Java-IO classes
(via bootclasspath).

Does anybody know which classes have to be changed or if there's somebody
who has done something like that...


JOERN_HEID


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org

Re: AW: How to protect a Cocoon project

Posted by Olivier Billard <ob...@rennes.jouve.fr>.

Sorry I didn't read good your mail :) My eyes are not well opened this morning ;)
But Alexander is right : that's your job to ensure there is no backdoor...




On 22/10/2003 10:10, Jörn Heid wrote:
> It's about a demo (with an installer). 
> I can't say: Before you install, please create a new user and forget the
> password of him :)
> 
> -----Ursprüngliche Nachricht-----
> Von: news [mailto:news@sea.gmane.org] Im Auftrag von Olivier Billard
> Gesendet: Mittwoch, 22. Oktober 2003 09:54
> An: users@cocoon.apache.org
> Betreff: Re: How to protect a Cocoon project
> 
> 
> Hi Joern,
> 
> Isn't it the goal of filesystems, to protect file from beeing read by non
> authorized 
> persons ? It's possible with WinNT, 2000, XP, and of course Unix-like OSes.
> Just give the right rights to the right persons ;)
> 
> --
> Olivier BILLARD
> 
> 
> On 22/10/2003 09:47, Jörn Heid wrote:
> 
>>Hello.
>>
>>I want to give my customer a demo of my Cocoon based application which 
>>runs with Jetty on their local machine. But the problem is everybody 
>>can see the internals of the app. All the pipelines in sitemap.xmap, 
>>all XSL and XML. It can be used to find backdoors in the sitemap for 
>>example.
>>
>>So the question is, how to protect files from being read directly.
>>
>>A solution would probably be to encrypt (for example via XOR) all the 
>>files. After that, Cocoon (Jetty) has to be started with modified 
>>Java-IO classes (via bootclasspath).
>>
>>Does anybody know which classes have to be changed or if there's 
>>somebody who has done something like that...
>>
>>
>>JOERN_HEID



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org

Re: How to protect a Cocoon project

Posted by rufio <ru...@op.pl>.

on Wed, 22 Oct 2003 09:53:37 +0200 Olivier Billard
<ob...@rennes.jouve.fr> wrote:

> Hi Joern,
> 
> Isn't it the goal of filesystems, to protect file from beeing read by
> non authorized persons ? It's possible with WinNT, 2000, XP, and of
> course Unix-like OSes. Just give the right rights to the right persons
> ;)

It's not a solution, when u send a demo say, on a CD, client may do with
it what he wants. Maybe hiding backdoors isn't good example, just say
jou don't want to give the source.

To Jörn:
Maybe solution is to obfuscate compiled sitemaps. Assuming (I didn't
check) cocoon compares only mtime of source and compiled sitemap, you
can remove content of source and set its mtime to older than
compiled sitemap (or to the value before the truncation).
As about static files, there is storeJanitor wich may help a bit (a
small one :).

If cocoon can read files, user can too, it's just matter of time, cost
and knowledge. On the other hand cocoon shouldn't force people to write
only opensource.

Obfuscating/xoring/rot13ing files should be in most cases enough, at
least until your app becomes so popular that people could simply ask on
usenet how to read your 'crypted' files. This of course needs modyfying
cocoon but it's worth if u want to make money on not OS cocoon apps.

And remember: information wants to be free :)

Regards, Rufio
-- 
nmap -sS -O -p80,81 www.microsoft.com
[..]
Running: Linux 2.5.X
OS details: Linux Kernel 2.4.18 - 2.5.70 (X86)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org

Re: AW: How to protect a Cocoon project

Posted by Jorg Heymans <jh...@domek.be>.

you can precompile the stylesheets to classes so at least it's not 
plaintext anymore. Ultimately that's what cocoon does.
Put your XML into a database or something.
I don't know how you would go on about masking the sitemap.

jorg

Jörn Heid wrote:

>It's about a demo (with an installer). 
>I can't say: Before you install, please create a new user and forget the
>password of him :)
>
>-----Ursprüngliche Nachricht-----
>Von: news [mailto:news@sea.gmane.org] Im Auftrag von Olivier Billard
>Gesendet: Mittwoch, 22. Oktober 2003 09:54
>An: users@cocoon.apache.org
>Betreff: Re: How to protect a Cocoon project
>
>
>Hi Joern,
>
>Isn't it the goal of filesystems, to protect file from beeing read by non
>authorized 
>persons ? It's possible with WinNT, 2000, XP, and of course Unix-like OSes.
>Just give the right rights to the right persons ;)
>
>--
>Olivier BILLARD
>
>
>On 22/10/2003 09:47, Jörn Heid wrote:
>  
>
>>Hello.
>>
>>I want to give my customer a demo of my Cocoon based application which 
>>runs with Jetty on their local machine. But the problem is everybody 
>>can see the internals of the app. All the pipelines in sitemap.xmap, 
>>all XSL and XML. It can be used to find backdoors in the sitemap for 
>>example.
>>
>>So the question is, how to protect files from being read directly.
>>
>>A solution would probably be to encrypt (for example via XOR) all the 
>>files. After that, Cocoon (Jetty) has to be started with modified 
>>Java-IO classes (via bootclasspath).
>>
>>Does anybody know which classes have to be changed or if there's 
>>somebody who has done something like that...
>>
>>
>>JOERN_HEID
>>    
>>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
>For additional commands, e-mail: users-help@cocoon.apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
>For additional commands, e-mail: users-help@cocoon.apache.org
>
>
>  
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org

AW: How to protect a Cocoon project

Posted by Jörn Heid <he...@fh-heilbronn.de>.

It's about a demo (with an installer). 
I can't say: Before you install, please create a new user and forget the
password of him :)

-----Ursprüngliche Nachricht-----
Von: news [mailto:news@sea.gmane.org] Im Auftrag von Olivier Billard
Gesendet: Mittwoch, 22. Oktober 2003 09:54
An: users@cocoon.apache.org
Betreff: Re: How to protect a Cocoon project


Hi Joern,

Isn't it the goal of filesystems, to protect file from beeing read by non
authorized 
persons ? It's possible with WinNT, 2000, XP, and of course Unix-like OSes.
Just give the right rights to the right persons ;)

--
Olivier BILLARD


On 22/10/2003 09:47, Jörn Heid wrote:
> Hello.
> 
> I want to give my customer a demo of my Cocoon based application which 
> runs with Jetty on their local machine. But the problem is everybody 
> can see the internals of the app. All the pipelines in sitemap.xmap, 
> all XSL and XML. It can be used to find backdoors in the sitemap for 
> example.
> 
> So the question is, how to protect files from being read directly.
> 
> A solution would probably be to encrypt (for example via XOR) all the 
> files. After that, Cocoon (Jetty) has to be started with modified 
> Java-IO classes (via bootclasspath).
> 
> Does anybody know which classes have to be changed or if there's 
> somebody who has done something like that...
> 
> 
> JOERN_HEID



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org

Re: How to protect a Cocoon project

Posted by Olivier Billard <ob...@rennes.jouve.fr>.

Hi Joern,

Isn't it the goal of filesystems, to protect file from beeing read by non authorized 
persons ? It's possible with WinNT, 2000, XP, and of course Unix-like OSes.
Just give the right rights to the right persons ;)

--
Olivier BILLARD


On 22/10/2003 09:47, Jörn Heid wrote:
> Hello.
> 
> I want to give my customer a demo of my Cocoon based application which runs
> with Jetty on their local machine.
> But the problem is everybody can see the internals of the app. All the
> pipelines in sitemap.xmap, all XSL and XML. It can be used to find backdoors
> in the sitemap for example.
> 
> So the question is, how to protect files from being read directly.
> 
> A solution would probably be to encrypt (for example via XOR) all the files.
> After that, Cocoon (Jetty) has to be started with modified Java-IO classes
> (via bootclasspath).
> 
> Does anybody know which classes have to be changed or if there's somebody
> who has done something like that...
> 
> 
> JOERN_HEID



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org

Re: How to protect a Cocoon project

Posted by Alexander Schatten <al...@gmx.at>.

Jörn Heid wrote:

>Hello.
>
>I want to give my customer a demo of my Cocoon based application which runs
>with Jetty on their local machine.
>But the problem is everybody can see the internals of the app. All the
>pipelines in sitemap.xmap, all XSL and XML. It can be used to find backdoors
>in the sitemap for example.
>
>So the question is, how to protect files from being read directly.
>
>  
>
two thoughts:

(1) security by obscurity does not work, this is well known: so if they 
could detect back-doors in your sitemap something is wrong anyway and 
you have to modify it

(2) if you just want to protect your knowledge and methodology, then 
this is another discussions:

why not put this application online with a password protection; then 
they can test it online without the need to install it.

or if it is really "big stuff", then you could think of making a linux 
CD that boots from CD/DVD like Knoppix with all your stuff 
pre-installed, but *without* an open root password as Knoppix has it.

then they enter the CD boot from it and thats it.

Alex

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org