Runtime Decryption in WebLogic
Here are the detailed steps for encrypting and decrypting Java class files at runtime in a WebLogic server environment:
Step 1: Encrypt the Class Files
Generate an AES Encryption Key:
Use a secure method to generate an AES key.
import javax.crypto.KeyGenerator; import javax.crypto.SecretKey; import java.util.Base64; public class KeyGeneratorExample { public static void main(String[] args) throws Exception { KeyGenerator keyGen = KeyGenerator.getInstance("AES"); keyGen.init(256); // 256-bit key SecretKey secretKey = keyGen.generateKey(); String encodedKey = Base64.getEncoder().encodeToString(secretKey.getEncoded()); System.out.println("AES Key: " + encodedKey); } }Save the generated key securely. Example output:
AES Key: abcdefghijklmnopqrstuvwxyz1234567890ABCDEF
Encrypt the Class File:
Use the AES key to encrypt the class file.
import javax.crypto.Cipher; import javax.crypto.spec.SecretKeySpec; import java.nio.file.Files; import java.nio.file.Paths; import java.util.Base64; public class EncryptClassFile { public static void main(String[] args) throws Exception { String key = "your_base64_encoded_key"; // Replace with your key byte[] keyBytes = Base64.getDecoder().decode(key); SecretKeySpec secretKey = new SecretKeySpec(keyBytes, "AES"); Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); byte[] classFileBytes = Files.readAllBytes(Paths.get("YourClassFile.class")); byte[] encryptedClassFile = cipher.doFinal(classFileBytes); Files.write(Paths.get("YourClassFile.class.enc"), encryptedClassFile); System.out.println("Class file encrypted successfully."); } }Replace
"YourClassFile.class"with the path to your class file.
Step 2: Deploy the Encrypted WAR File
Replace Original Class Files with Encrypted Ones:
Rename the encrypted class file with the
.class.encextension and place it in the same directory within the WAR file.
mv YourClassFile.class.enc /path/to/war/WEB-INF/classes/YourClassFile.class.encRepackage the WAR File:
Use the
jarcommand to repackage the WAR file.
cd /path/to/war jar -cvf ../encrypted.war *Deploy the WAR File:
Deploy the encrypted WAR file to your WebLogic server using the WebLogic Administration Console or the command line.
Step 3: Configure Runtime Decryption
Modify the Application to Decrypt at Runtime:
Add decryption logic to your application to decrypt the class files at runtime before loading them.
Load the Decryption Key Securely:
Store the decryption key securely, such as in a secure key management service or environment variable.
Implement Custom ClassLoader:
Implement a custom
ClassLoaderthat loads and decrypts the class files at runtime.
import javax.crypto.Cipher; import javax.crypto.spec.SecretKeySpec; import java.nio.file.Files; import java.nio.file.Paths; import java.util.Base64; public class EncryptedClassLoader extends ClassLoader { private SecretKeySpec secretKey; public EncryptedClassLoader(ClassLoader parent, String key) { super(parent); byte[] keyBytes = Base64.getDecoder().decode(key); this.secretKey = new SecretKeySpec(keyBytes, "AES"); } @Override protected Class<?> findClass(String name) throws ClassNotFoundException { try { String path = name.replace('.', '/') + ".class.enc"; byte[] encryptedClassFile = Files.readAllBytes(Paths.get(getClass().getResource("/" + path).toURI())); Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.DECRYPT_MODE, secretKey); byte[] classFileBytes = cipher.doFinal(encryptedClassFile); return defineClass(name, classFileBytes, 0, classFileBytes.length); } catch (Exception e) { throw new ClassNotFoundException(name, e); } } public static void main(String[] args) throws Exception { String decryptionKey = "your_base64_encoded_key"; // Replace with your key EncryptedClassLoader classLoader = new EncryptedClassLoader(ClassLoader.getSystemClassLoader(), decryptionKey); Class<?> clazz = classLoader.loadClass("YourClassName"); Object instance = clazz.newInstance(); // Invoke methods on the instance } }Package Your Custom ClassLoader:
Compile your custom
ClassLoaderand package it into a JAR file. This JAR file will be included in your WebLogic server's classpath or within your application.Modify
weblogic.xml:The
weblogic.xmldeployment descriptor is used to configure various settings specific to WebLogic Server. To ensure WebLogic uses your customClassLoader, follow these steps:Open the
weblogic.xmlfile located in theWEB-INFdirectory of your application.Add the necessary configurations to use your custom
ClassLoader.
Here’s an example of what your
weblogic.xmlmight look like:xml
<?xml version="1.0" encoding="UTF-8"?> <weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.4/weblogic-web-app.xsd"> <context-root>/yourapp</context-root> <container-descriptor> <prefer-application-packages> <package-name>com.yourpackage.*</package-name> </prefer-application-packages> </container-descriptor> <library-ref> <library-name>custom-classloader-lib</library-name> <specification-version>1.0</specification-version> <implementation-version>1.0</implementation-version> </library-ref> <class-loader-structure> <class-loader-structure> <class-loader> <name>customClassLoader</name> <system-properties> <property> <name>encryptedClassLoader</name> <value>com.yourpackage.EncryptedClassLoader</value> </property> <property> <name>decryptionKey</name> <value>your_base64_encoded_key</value> </property> </system-properties> </class-loader> </class-loader-structure> </class-loader-structure> </weblogic-web-app>Deploy the Application:
Ensure the custom
ClassLoaderJAR file is included in your WAR file or placed in the WebLogic server's classpath.Deploy the WAR file to your WebLogic server.
Important Considerations
Security: Ensure that the decryption key is stored securely and not hard-coded in the application.
Performance: Runtime decryption may introduce performance overhead.
Testing: Thoroughly test the application to ensure that the decryption process works correctly and does not introduce any issues.
Last updated
Was this helpful?