Protect Jar/War Project with Java BCE Protection Mode
Introduction
Virbox Protector Standalone support to protect the Java projects, include Jar, War archives and class file and related data resource.
Virbox Protector supports developer to protect Java projects with 2 kinds of protection mode: Java VME and Java BCE (2 different kind of Virbox Protector license required), developer may either select the BCE Mode or VME mode or combine using both modes together to protect your Java project, depends on your security requirement:
--With Virbox Java VME protection mode, The bytecode of the Java's method will be transformed into self-defined bytecode which executed in Java Virtual Machine environment. With Virtualization protection, all of bytecode executed in the JVM will be convert into the instructions executed in private VM, and provides most secured environment for Java project's execution and effective to defend the retrieving and cracking by latest decompiler available in the market. Java VME is suitable for the developer who require to protect their IP/code with highly security.
When developer use the Virbox Protector VME mode to protect your Java Projects, developer may drag your JAR Archives or WAR Archives into Virbox Protector GUI tools and click to select those functions which you want to protect/encrypt, select the "Protection Mode" to be the "Virtualization", and then click the "Button" of "Protect Selected Project". then the JAR or WAR archives will be protected by Java VME mode.
--With Virbox Java BCE protection mode, The bytecode of each method of Java class file will be protected and encrypted, the bytecode will be only decrypted in execution; the execution and decryption rely on relevant java agent.
When developer use the Virbox Protector BCE Mode to protect your Java Project, developer may drag the Folder which contain the JAR or WAR archives into the Virbox Protector GUI tools, click to "Protect Selected Projects" to protect your JAR or WAR projects, after the protection completed, the Encrypted JAR, WAR archives and sjt_agent.jar will be generated.
Java BCE mode Doesn't support following scenario:
The JAR or WAR file which protected by Java BCE mode doesn't support the referenced/called by other projects
Compile the protected JAR archives into the exe file to execute;
If developer want to protect/encrypt above 2 scenarios JAR or WAR project, you may select the Java VME mode to protect your Java Project.
The Difference Between Java VME and Java BCE
The Encryption technology is different:
With VME mode, it supports to protect/encrypt the Java Method with Virtualization mode,
With the Java BCE Mode, it supports to protect/encrypt the Java bytecode of each method of Java class file, when executed, the encrypted bytecode will be decrypted dynamically in Java agent.
The execution is different:
With VME protection mode, the execution of protected JAR/WAR archive is same as previous unprotected JAR archives;
With BCE protection mode, the execution of protect JAR/WAR archives need to rely on the sjt_agent.jar;
The Encryption Operation is different:
With Java VME protection, developer may drag and encrypt the JAR archive directly;
With Java BCE protection, developer need to put the JAR/WAR into a folder and drag a whole Java folder to protect it.
With VME Protection mode, The Encrypted JAR or WAR archives supports the referenced by other projects; and not supported with BCE protection mode;
With VME Protection modes, The encrypted JAR or WAR archives support to be compiled to be execution file to execute directly. and not for the encrypted JAR or WAR archives by BCE mode
Virbox Protector Standalone supports to protect Java application (Jar, War, or Java SDK both in GUI tool and CLI tool.
Protection sample & Environment
Here we use Virbox Protector Standalone GUI tools to show the protection process with BCE protection mode, and also introduce the protection process by use of Virbox Protection CLI mode. Developer may freely to select Virbox Protector GUI or CLI tool to protect their Java project with BCE mode.
A Folder which contained the Jar archive has been used as a sample to show the whole protection process step by step; and the protection process to War Archive is same as Jar Project process. Developer may refer the Jar Protection process to protect War Project for test and evaluation also.
the Operation environment is windows.
The version of Virbox Protector GUI tools is 2.5.0 trial edition.
Protect your Jar project with BCE mode in 5 steps
Import the Jar/War project: Drag the whole jar/war folder into the Virbox Protector GUI tools;
Select The Jar file to be protected in the "Java Files" tab; and Set output path in the "Protection Option" tab;
Click "Protect Selected Projects" to start Protection process to the Java Project;
Backup the source Jar/War project, rename and use the protected project to source file name and save the configuration files etc.
Deployment and execution
Prerequisites
Sign-up Virbox Protector website to apply a trial license and install the Virbox Protector;
execute Virbox Protector (virboxprotector.exe) and sign in your account with your trial license
Above pre-requisition is for test/evaluation Virbox Protector only.
To protect formal and commercial release software, pls purchase and get the related Virbox Protector BCE license.
Protection Process
1. Import the JAR Folder into the Virbox Protector GUI tool:
Open the Virbox protector GUI tool and login to your account, drag the whole folder of JAR or WAR Project located into the Virbox Protector, in the sample case, the Jar Folder name is "Jar Folder", the Jar file we used is: demo-0.0.1-Snapshot.jar; as shown as the snapshot below: and show JAR file information in the "Basic info" tabs, shown as snapshot below:
The difference to use Virbox Protector BCE mode and VME mode in Operation is:
With BCE mode, Drag whole folder of Jar Project into Virbox Protector.
With VME mode, Drag the Jar project to Virbox Protector, not drag whole folder.
2. Select The JAR file to be protected in the "Java Files" tab; and Set output path in the "Protection Option" tab;
Go to "Java Files"tabs, Developer may Select those Jar/War file via Jar Files tab for those Java files which need to be protected:
Click "Select Files "Button" to select the JAR file which you want to protect;
use Ctrl+A to select all Jar file (execution performance may impact if you select all of Jar file to be protected),
Password for Java File: you can set and input the password to protected Java file, suggest to set the password, and keep the password, so, when the Java file update later, you can use consistent password to encrypt the Java file, and it is not require to update the sjt agent file: sjt_agent.jar
Then click OK button on the bottom to complete selection and protection setting.
Now, Go to the Protection Option tabs, and Set output path: the on default output is same directory which Jar file located.
3. Click "Protect Selected Projects" to start Protection process to the Java Project;
Click "Protect selected Project" to start protection; as shown as below:
Then go to the output folder, you will find a news file and new folder has been generated, as the the sample show as below:
The new file which name "Jar Folder.ssp", is the configuration file which stored the protection option setting.
The new file folder which name "Jar Folder Protected", is the protected Jar Folder; you can find following files contained in this folder:
demo-0.0.1.SNAPSHOT.jar
: Protected Jar project;
sjt_agent.jar
: the jar agent file which will be used in future deployment;
readme.txt
: a instruction file to deployment.
4. Backup the source Jar/War project, use the protected project to further testing and save the configuration files etc.
Then, don't publish the original Jar file. located in "Jar Folder",
Use the protected Jar project located in the "Jar Folder Protected" to further deployment testing. It is not necessary to distribute the configuration file: Jar Folder.ssp, to your enduser. please keep it, if you use Virbox Protector CLI tool to protect your Java projects, it is useful configuration file when you use Virbox Protector CLI tool later.
In General, With Virbox Protector, with this Quick Start Guide, Developer may quickly to go through whole protection process to protect Jar application. for more details instruction, developer may take refer from the User Manual-Virbox Protector Standalone, or contact us directly.
The War Project Protection process with BCE mode is same as Jar Project's protection process.
5. Deployment and execution
The deployment of Jar/War Project protected with Java BCE mode is different from the deployment of Jar project with VME protection. the Jar project deployment and execution depends on the Java agent.
5.1. JAR Deployment
Developer need to specify the sjt_agent.jar
file path and location when execute the JAR Archives;
Windows Environment
Specify the sjt file location/path when execute the protected Jar archive
If sjt library and the Jar archive are located in the same directly, you can execute the following command in the current Jar archive's directory.
java -javaagent:sjt_agent.jar-jar ***
.jar
If sjt library and jar archive is not in the same directly, you need to assign the absolute directory.
java -javaagent:C:\Users\test\Desktop\sjt\sjt_agent.jar -jar ***
.jar
Linux Environment
Developer need to specify the sjt_agent.jar file path and location when execute the JAR Archives;
If the sjt library located in the same directory with Jar archive, you can excute the following command in the current directory:
java -javaagent:sjt_agent.jar -jar ***
.jar
If the sjt library is not in the same directory with the jar archive, you need to assign the absolute directory:
java -javaagent:/home/sense/Desktop/sjt_so/sjt_agent.jar -jar ***
.jar
macOS Environment
Developer need to specify the sjt_agent.jar file path and location when execute the JAR Archives;
If the sjt library located in the same directory with Jar archive, you can execute the following command in the current directory:
java -javaagent:sjt_agent.jar -jar ***
.jar
If the sjt library is not in the same directory with the jar archive, you need to specify the absolute directory:
java -javaagent:/Users/sense/sjt/sjt_agent.jar -jar ***
.jar
5.2. WAR deployment
Windows Environment
There will be 3 scenario to configure the system environment, you can select one of them which depends on your WAR project:
Set setenv.bat under the tomcat directory
Create the setenv.bat in the tomcat\bin directory, for example:
a) Create “setenv.bat” in the tomcat\bin directory, set the environment variable: (absolutely path):
set CATALINA_OPTS=%CATALINA_OPTS% -javaagent:sjt_agent.jar
b) Put the encrypted "WAR archive" into the location: .\apache-tomcat\webapps and start the tomcat service.
2. Start the tomcat when system service started
a) First you need to uninstall the tomcat service, use the console command:
service.bat uninstall
to uninsall tomcat service;
b) Add the sjt_agent.jar in the parameter of JvmOptions in the service.bat, as shown as snapshot below:
c) Then use the command: service.bat.install
in the console windows to install:
d) then start "tomcat" service in the system service;
e) put the protected "War archive" into the folder of ".**\apache-tomcat\webapps
, then start tomcat service.
3. Start service when you using tomcat9.exe
a) First step is to start the tomcat9w.exe
b) add the sjt lib in the Java Options list, as shown in the snapshot below:
c) Execute tomcat9.exe to start tomcat service and put the protected war archive into the folder .\apache-tomcawebapps
, then start the tomcat service.
Linux Environment
Set Setenv.sh in the tomcat directory:
a) Create a new setenv.sh in the tomcat\bin directory, the absolute path environment variable can be set as follows:
CATALINA_OPTS="$CATALINA_OPTS -javaagent:sjt_agent.jar
as shown below:
b) Start tomcat service, you can view the CATALINA_OPTS
*parameter* be set
c) Put the encrypted WAR archive in the directory: .\apache-tomcat\webapps
If the War archive can be parsed correctly, the webpage can run correctly.
If you have configured the environment variable, the default system environment for Java execution will use the environment variable you have set, even you have assigned the *sjt* library location.
macOS Environment
a) Create a new setenv.sh
in the tomcat\bin directory, the full path environment variable can be set as follows:
CATALINA_OPTS="$CATALINA_OPTS -javaagent:/Users/sense/sjt/sjt_agent.jar
b) Start tomcat system service, you can view the parameter of CATALINA_OPTS
set
c) Put the encrypted war archive in the directory:
.\apache-tomcat\webapps
If the War archive can be parsed correctly, the webpage can run correctly.
Last updated