0

I'm trying to protect my JavaFX code beyond that of ProGuard. I understand that any code that a user has in their possession is fair game. That means I need to move all my sensitive business logic onto a server which can be confidently protected.

Due to my limited server-side experience I'm looking for an explanation/example of how to develop the client-server connection so it's secure and reasonably fast. My main confusion relates to what is required in the client-side code such as server initialization and get/put requests(?), and also which files or code I put on the server (and where).

I've linked 3 quotes below from relevant answers to provide some background. The posts respectively are found here, here and here. The first one states:

we "protect" our software by having part of the computation happening on the server side: we have several .class that won't work unless they're generated from the server side and we send them down the wire (and what is sent on the wire is always different: we're generating unique, one-off .class files on the server side).

This suggests to generate entire class files on the server side. A few of my classes I'd want to fully have on the server, but many class files only contain methods which are sensitive and would need to be server based. The second link states:

Move the most critical parts of the service out of the app, and into a web service, hidden behind a server side language like PHP. Move the algorithm and have it process the data on a remote server, and use the app to simply provide it with the data.

This seems more aligned with my intentions but I'm confused how to perform these "move" and "processing" functions. Do I simply replace the sensitive methods/class calls with get() requests to the server, which is behind a SSL connection provided by any basic server provider? Can you find a relevant full example?

Third quote:

Set up a server that responds to requests from your app, "uses" the assets (whatever that might mean) and then sends the result back to the app.

Once again, an example of how to "request", "use", and "send" entire methods/classes in a JavaFX context would be excellent. I'm willing to read all day, I just need guidance on this initial step so I start on the right foundation.

Community
  • 1
  • 1
Mathomatic
  • 899
  • 1
  • 13
  • 38
  • 1
    Unfortunately this is too broad for StackOverflow :( To give you some pointers, see: [create a rest service](http://www.mastertheboss.com/jboss-frameworks/resteasy/resteasy-tutorial) and access it via a [client using basic auth](http://www.mastertheboss.com/jboss-frameworks/resteasy/resteasy-basic-authentication-example), or (more sophisticated) an [oauth based token service](http://blog.novatec-gmbh.de/secure-web-application-wildfly-swarm/). Similar setup using [spring boot](http://stackoverflow.com/questions/32548372/how-to-secure-rest-api-with-spring-boot-and-spring-security). – jewelsea Oct 31 '16 at 21:02
  • Have you looked into using RDP RemoteApp or similar virtualisation? We're using that to protect our code as it means the end-user never actually gets our software, they only see a mirror of the images created on screen. It's working well with JavaFX so far. – Geoff Nov 01 '16 at 13:32
  • @jewelsea, my second link above refers to a broad question so I thought I was OK, please feel free to deflect this (final) question: I spent the night reading about REST but since I use intellIJ Community Edition, I've read that there's an issue making a RESTful service since the WebServices plugin doesn't exist in the plugin repo and I can't create a JavaEE app, only the Ultimate version can. But the first link you wrote uses WildFly and Maven. I already use Maven so I assume I just integrate the tutorial's code? Will this work properly in IntelliJ CE? I'd rather not use Eclipse if possible. – Mathomatic Nov 01 '16 at 18:03
  • @Geoff, thanks for the feedback but my initial thought was: How would a RemoteApp allow a user to dynamically swap libraries (.dll) in order to comply with LGPL's dynamic linking requirement? My app also requires communication with the user's system such as accessing an H2 database file, and accessing another desktop software via AutoIT/JACOB. The RemoteApp "appears" to provide a layer of abstraction/isolation which may impede my requirements. Thanks for any further info – Mathomatic Nov 01 '16 at 18:07
  • 1
    @mathomatic Intellij CE will work fine for a development of server-side services. Intellij UE does provide more facilities but is not mandatory. Intellij UE has a free trial so you can judge for yourself if it is worthwhile. I know numerous developers who are extremely proficient developing server side services using just text editors such as Notepad+ or Emacs, though they are not me and I like the IDEs. – jewelsea Nov 01 '16 at 18:27
  • That's all the encouragement I need, regards. – Mathomatic Nov 01 '16 at 18:31
  • For anybody interested, I've posted this question on reddit [here](https://www.reddit.com/r/JavaFX/comments/5akilv/javafx_put_sensitive_code_and_computations_on/) which has received 2 notable comments so far. One says that class file generation on server side is superfluous, and the other suggests using Java Spark. They both point toward REST as does jewelsea. I'd be interested to hear jewelsea's or other opinions on Java Spark in my context, it seems to fit the bill after initial research. Thanks. – Mathomatic Nov 02 '16 at 17:06

0 Answers0