CFM file obfuscate or encrypt

[crenpeva]

Dears,
can i encrypt the cf or cfc files like a coldfusion do it?.
I use crypt.exe for encrypt cf file on CFMX7, but on Railo server 3
doesn't working.
Can you help me?.
Thanks

[Mark Drew]

I can help you Sir.

No, you cannot use crypt.exe itself.

But what you CAN do is create a mapping to the root of your sourcecode and then edit the mapping and create a Sourceless railo archive. this archive can contain your application without sourcecode as it is all now compiled, and you can't decompile it to anything that makes sense.

I hope that helps

MD

[crenpeva]

Thank,
but, how i do this, i'm not an expert in Railo. Is in Railo admin
server?...where?. Can you put an example here or how i configurate
this?

[Mark Drew]

Here is a screencast of me creating a secured archive

http://screencast.com/t/gOStkZPnM

MD 

[Dave Merrill]

Be aware that the Railo archive contains only the CFML files; html, css, js, images, etc are not included. If you're shipping a product or other closed-source tool, you need to ship both the archive and another directory or zip with the rest of your assets, and have your install or your customer set  up a mapping that points to both the Railo archive and the uncompressed version of your other files.

Also note that the disk path where you created the archive is compiled into the .class files in the archive, and is what shows in error msgs etc. You may want to pay some attention to that location when you build the archive.

Lastly, if you then want to update just a few of the CFML files in your archive on a customer's site, it's a bit tricky. File and directory names in the archive may be altered beyond having a .class extension. You either have to locate and replace the appropriate class files within the archive on the customer's site, or rename the compiled fiels back to their original  CFML names, and put them in the corresponding non-resource location. There's some discussion of the process required to do this procedurally on this list, but in my experience, it's not entirely accurate. Some day, if I get the time (hah), I'd like to build an Railo extension that would automate the process of creating a zip containing both complied and renamed  CFML files and non- CFML ones. We have that working here, but it's part of a patch management app that talks to our source control system and a db, not a Railo extension. Perhaps some day such a thing will be part of Railo itself. It's a real need for developers who want to ship incremental updates to an app delivered as an archive.

Dave

[Michael Offner]

you can also take the compiled version of the cfm/cfc file out of the cflasses folder and replace the original file with the file from the classes folder.

if you ask how secure this is. the answer is much more secure than "crypt.exe", then for "crypt.exe" is a decompiler around that let's you decrypt all encrypted files in seconds.

but there is no way to convert a compiled cfm/cfc files back to it source file. you can decompile back to java source code, but this will not help a lot and even this will not always be possible, because we are writing java bytecode that cannot be decompiled to java code in any case.

/micha

2012/4/11 Mark Drew <ma...@getrailo.com>