I understand Vaadin has many security features, but what about protecting the .war file from reverse engineering?
If I upload a .war to a PAAS (such as Jelastic provides) how do I know my code is safe? There are virtually no posts about obfuscation except [this one]
(https://vaadin.com/forum/thread/298955) from 7 years ago. ProGuard seems convoluted with Vaadin/WARs, is there a better approach? Is obfuscation not necessary?
Thank you.
Generally, this is not about Vaadin, but Java run environment. Attempt to obfuscate or encrypt Java bytecode is really extreme measure. My assumption is that almost nobody does it, since typically there are enough roadblocks before getting access to WAR file in production and there is performance impacts etc. In theory obfuscating or encrypting Java classes is possible. That will require writing custom class loader (which is not straightforward) or use 3rd party implementation (if you dare), doing rigorous testing that your custom class loader is no worse than standard one, etc. And if that attempt is successful, Vaadin will know nothing about it, it will just run in that environment normally.
https://stackoverflow.com/questions/4257027/how-can-you-protect-encrypt-your-java-classes
Thanks Tatu,
Just to clarify, when you say:
My assumption is that almost nobody does it, since typically there are enough roadblocks before getting access to WAR file in production
Are you saying that it’s likely sufficient to upload the bare-bones, unencrypted/un-obfuscated .war file to the server, since the company hosting my server should have enough safe-guards in place to prevent users from downloading the .war?
My confusion stems from not understanding how obtainable .war files are on an app-server. If a user is able to access the .war file, and use the application, does that not imply they can also view the contents, or download the .war for later?
It feels so vulnerable. Any feedback is great.
Methods of obfuscation / encryption discussed in the linked documents, are not applicable for most typical PAAS cases, since you typically cannot reconfigure those running environments (i.e. change class loader, etc.) So the question is more like, whether you can use PAAS / cloud hosting service that takes WAR’s or is the nature of your application requiring you to acquire, e.g. hosted virtual machine, dedicated HW or something like that, which you can configure as you like. And case you have such environment, there are typically enough roadblocks, that obfuscation is not necessary. I would assume that in some cases there are within organization security risks, which may mandate extreme security measures.