I was wondering whether there's a way to obfusticate a hibernate application? I'm using tapestry for my frontend and hibernate for my persistence. Both are very dynamic and use a lot of byte code generation. This is going to cause me a problem when I get to the stage of obfusticating my application.

Has anyone ran into this issue before? Any good solutions?

It has been asked a while ago, but wo solution.

I need to solve this problem too. I haven't done it yet, but here's a thought: Don't obsfucate your POJO, but encrypt them and load them up with a decrypting classloader. The encryption key can either be stored in the classloader (less secure, even if the classloader is obsfucated) or loaded up remotely via SSL. (Single point of failure if this goes wrong, not feasable in non-networked environments.)

I haven't addressed mapping files yet. :) If I was really paranoid I'd do all of the configuration in code and do the same process as above.

Like I said, I haven't tried this yet. Any thoughts?

A nice article on why decrypting classloaders are completely uselses crap can be found here: http://www.javaworld.com/javaworld/javaqa/2003-05/01-qa-0509-jcrypt.html

I know. Just read it. :)

But, despite what that article says, you can't design security around the "well, SOMEBODY can break it, so why secure it" principle. The trick is to design a security policy that 1) blocks out most casual hacks, and 2) makes a hack difficult enough that it can be detected or not worth the hacker's time.

Just because you can't secure like Fort Knox doesn't mean you leave the front door open...

Well the fun thing about decrypting classloaders is that they are super easy to detect, and everybody inteligent enough to do a google search and read a two-page article can circumvent them in under one minute.

Hey, ya can't convince a skeptic. But if you want to leave the keys to your house out on the street, more power to ya...

Everybody who has the energy and knowledge to use a decompiler to read your class files will not be stopped more than two minutes using some "decrypting classloader" stuff, thats a fact. Well thats not really hibernate related, so lets leave it for now.

Would it be possible to convert the mapping files into code perhaps? Once it's in code form the obfusticator would then know how to deal with it.

This would all depend on whether sufficient API's exist to do such a thing.

You could do your configuration programmatically by building the DOM tree and passing it to configure(). Note however that your obfuscator still should not do something like method remaining, or Hibernate will not be able to access your get/set methods by reflection. You could work around by using custom PropertyAcessors which contain the method calls hardwired. Lots of effort though.

So far compared to open source...