views:

252

answers:

3

I'm building a plugin system for my application. I've read that anyone can decomple .class files and therefore I'm forced ot use a Ahead-Of-Time compiler (right?). The problem is that I need to load some plugin classes dynamically. Right now I'm loading all .class files in a folder and invoking a static method (I never create a object) as a plugin system.

Can I load those classes when all my source is AOT compled? Should I approach the problem another way? Is Java the right language for me?

+4  A: 

Ahead of time compilation is not for blocking people from de-compiling. I think you should use an obfuscator for that purpose.

Dynamically loading classes for plugin system should work with both the obfuscators and AOT.

Tahir Akhtar
Thx, I will look futher into a obfuscator before deploying my application. Unill then I will ignore the "problem" :)
Baversjo
Actually, AOT compilers do indeed block decompilation (by turning bytecode into native machine code). See feature #2 on Excelsior JET's product page: http://www.excelsior-usa.com/jet.html .
Michael Myers
They block decompilation of Java bytecode but a determined/experienced attacker can reverse engineer native code.
Nat
Correct. After all, hackers crack C/C++ programs since day one. However, time/cost of cracking *optimized* native code is much higher as compared to Java bytecode, even if it's obfuscated.
+2  A: 

Tahit Akhtar is right. You need an obfuscator. You'll have to configure it not to obfuscate the name of the classes and methods that your program uses dynamically to load and call the plugins. That is, the public SPI of the plugins cannot be obfuscated, but their implementations can.

Nat
+1  A: 

Unless your classes contain some really top secret functionality I would say drop the obfuscation...

I'm building myself a plug-in framework and I had the same thought to block access to the plug-ins code(since everything sensitive will be there) but I gave up, nowadays everything you can think of is already posted on the web, there are no more secrets in software development ;)

adrian.tarau
Indeed. As I side note I will only deploy my application to trusted customers, so there isn't really anything to worry about.
Baversjo