ColdFusion Sourceless Deployment

Next question for me was - how can we protect our core code base when we deploy applications on client's servers? The answer was you can't....Well that's not strictly true. :D You can protect your code, but only from the "honest and the lazy", to quote a recent thread from one of my email lists. If anyone is really determined to get to your application code they can, but here's a few techniques that help to prevent access to your code:

  1. CFEncode - encrypts files using a key
    • easily undone with reasonably available cfdecrypt application
    • decrypted files are CFML pages
  2. EAR archive file deployment (http://livedocs.adobe.com/coldfusion/8/htmldocs/deploying_4.html#117456)
    • Done via CF Admin deployment section.
    • Can include DSNs, CF Admin, application source etc.
    • CFML Files in clear text within the archive
    • Requires valid CF Serial number – no serial number will result in cf reverting to Developer version after 30 days
  3. Sourceless Deployment
    • Use CFCompile batch file that can be found in \JRun4\servers\{servername}\cfusion-ear\cfusion-war\WEB-INF\cfusion\bin
    • CFML Pages are converted into byte code
    • Byte code can be easily decompiled using a Java De-compiler, but decompiles code to java rather than CFML
    • Selective file or complete folder compilation can be done
  4. EAR Archive and Sourceless Deployment.
    • Uses a combination of 2 and 3
    • Compile source code to byte-code before archiving

Using CFCompile.

(http://livedocs.adobe.com/coldfusion/8/htmldocs/deploying_5.html#117556)
Before using cfcompile.bat you need to set some variables in the batch file.

  • CFUSION_HOME should be \JRun4\servers\{servername}\cfusion-ear\cfusion-war\WEB-INF\cfusion
  • J2EE_JAR should be \JRun4\lib\jrun.jar
  • WEBINF should be \JRun4\servers\{servername}\cfusion-ear\cfusion-war\WEB-INF\

To do a sourceless deployment run the batch file providing the parameters webroot, directory to compile and destination directory with the –deploy option.
For example:

cfcompile -deploy d:\sites\mysite\ d:\sites\mysite\ d:\sites\mysite_sourceless

Will deploy the entire d:\sites\mysite\ directory as sourceless into mysite_sourceless
I was asked if it was possible to obfuscate the generated byte code further using something like YGuard.
Having just disassembled and decompiled a compiled ColdFusion page, I personally think the code is already pretty obscure even without the help of the likes of YGuard!

 

Resources

Here are some of the articles I had a read of or watched when I was checking my facts.
Protecting Applications with WAR and EAR Packaging and Sourceless Deployment
Sean Corfield on the differences between Sourceless vs. J2EE Deployment
Designing ColdFusion Applications for Deployment as EAR Files
Oguz Demirkapi on Sourceless Code Deployment (Adobe Connect presentation)

TweetBacks
Comments
@Stephen:

I think CFCompile is enough protection for most people. The amount of work it would take to decompile and make something useful out of the code would be pretty time consuming.

Now, that's not to say it'll protect you from someone decompiling your code to provide a hack around some built in registeration/licensing code that you may have implemented in your code. That wouldn't be hard to work around.

However, as a whole it would take a pretty substancial effort to rebuild the entire code base from the decompiled class into something useful to build upon.
# Posted By Dan G. Switzer, II | 3/13/08 9:39 PM