JavaEE: Ensure WAR files may not be changed - security

I am currently working in a WEB Java project and I have the following requirement: I have to make sure our customers don't have access to the packaged files in order to change them. Actually, I'd like to do that with only a few of those classes but without using any obfuscators due to the size of my project and the resources it uses to accomplish some tasks (reflection, annotations, interceptors, etc).
Does anybody have any tips?
Thanks,
Luan

Related

Angular 2 web application within an already existing Maven project

In order to present a brand new way of developing a web application, our team decided to create an Angular 2 web application that will be integrated within an already existing Maven Project in Eclipse Mars which DOES NOT use NodeJS nor Angular.
We are currently using the frontend-maven-plugin belonging to com.github.eirslet and managed to download and install both node.exe and npm.
Now, here is the deal: our web application has its own package.json file with all the configuration required to run properly, BUT we would like to be able to differentiate between the web applications, as each one of them belongs to a different working directory (i.e. com.webapp.app01, com.webapp.app02, ...).
As the plugin does not let the user use the npm install command on different directories, we were wondering about how we could reach this goal... maybe using a general package.json, but generating all .js and dependency files in each project directories.
Would that be something even possible?
Could you give us some help?
Thank you.
Cheers!
What I would suggest is to have a multi-module maven project, with a common parent, and children, that would give you this kind of architecture:
parent-project
|-child-project1 (java project)
|-child-project2 (webapp1)
|-child-project3 (webapp2)
|....
|-child-projectn (webapp n-1)
This way you can have for each web-app the frontend plugin available. And you can handle the flow of the build from the parent project (for instance if webapp2 needs to be built before webapp1, you can orchestrate it from the parent)
We decided to generate all the libraries locally and upload them to SVN, due to the fact that the already existing structure cannot be changed and the maven plugin is too much limited for our purpose.
Thank you for your replies, though. :-)

where is war exploded in Liferay 7 tomcat after getting copied in osgi folder

I deployed a portlet in liferay 7 and it got deployed successfully and was available for use. I want to replace the jsp file, in earlier version I could see my application in tomcat/webapps folder and replace it quickly.
Now I am unable to locate the exploded war in liferay 7. I can only see the war in osgi/war folder.
Can someone help me with that.
Thanks in advance.
While I mostly agree with what Olaf wrote, I do understand the need to be able to make changes in JSP files and try them quickly during development. I'm afraid I don't have the solution for that yet.
However, let me answer the question you asked:
where is war exploded in Liferay 7 tomcat after getting copied in osgi folder
It is NOT (at least not the way it was done by application servers)! When you deploy a WAR file in Liferay 7, it will automatically (on the fly) convert it into OSGi bundle and install it in OSGi runtime. This way now Liferay is fully in charge of deploying plugins and does not need to rely on various application servers.
PLEASE NOTE: Every bundle has it's own state folder. In Liferay those are in <LIFERAY_HOME>/osgi/state. If you know the bundle ID you can easily find it. It may be (I haven't checked) that you'll find some JSP files there. The reason I'm writing this is to warn you (in case you figured it yourself) to NEVER modify bundle's state folder manually. Doing so may brake the whole environment. In worse case scenario you may have to redeploy everything in clean environment.
You should not rely on behavior like this. In previous versions it was the task of the application server to compile changed JSPs at runtime. However, this is bad practice in production systems and totally screws up your maintainability. If you need to update some UI code frequently, I'm suggesting you change your implementation to utilize ADT (Application Display Templates), e.g. through Freemarker or Velocity. Those are meant to be updated at runtime, where the JSP updates were a side effect of Tomcat's default (development friendly, production hostile) configuration

What is the best way to use puppet to update files within a WAR file?

We have several web projects that we deliver as .war files and deploy to jboss. We have a situation where the exact same "war"/code base is delivered to multiple environments with each environment requiring different auth-constraints to be defined in the web.xml. What is the best way/best practice on delivering these different configurations.
You can either
supply specific builds for each environment
deploy the same build everywhere and use Puppet or similar tools to manage specific web.xml content per environment
Which is cleaner and/or more easy to implement depends on your existing work flows. There may be other alternatives as well.

Where to put a library shared between portlets in Liferay?

I need to share a library (built in-house) between portlets and I prefer to put it in a common place instead of adding it as dependency to every portlet that need it because I want to update the library once. Can I build a hook or ext plugin that the portlets can refer to and access the library? I know that you can add it to the common library directory and add it to liferay-plugin-package.properties for each portlet but the location depends on the application server. I want to know, there is a standard or cleaner way to do this? Thanks in advance.
With the tomcat bundle, the common usage is to put these in the tomcat/lib/ext folder.
There is one big drawback, every modification in this folder will require a server restart.

OSGi Bundle Repositories

I am empirically testing OSGi Bundles and their relationships for this I need lots of bundles.
Making these datasets is a difficult task. I already have Eclipse update (1700 Bundles) sites and Spring Enterprise bundle repository for testing, however I want more, anyone out there got massive amounts of bundles.
I don't even need the code, just the manifests would be fine.
Cheers
Google Code Search returns 15800 results for query 'Bundle-SymbolicName file:MANIFEST.MF'. If you find some way to automatically download them and remove duplicates you might get a sizable dataset.
Another similar idea is to find some way to search the Maven central repository for artifacts that include OSGi bundle manifest.

Resources