[Laszlo-user] Securing Source Code (Business Logic and Client Logic)

jamesr circlecycle at gmail.com
Mon May 19 12:37:22 PDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

	I think there are others who would want to give an answer, but here  
is a quick one. Regarding server backend logic protection, you  
naturally use what your server environment offers. If you are using  
the standard tomcat deployment, then looking into various servlet  
technologies or design patterns to protect web-services is the best  
idea. In most instances, OL merely interchanges XML and it is this XML  
data source - not OL - that has the responsibility for protecting data  
from malicious users (things like session cookies, SSL, etc.). The  
moral here is that using OL doesn't force you to make any back-end  
choices at *all* since it's primarily (again, it does ship with a  
tomcat environment) a client-side technology.

	As far as client side goes - yes - your web browser may well cache  
your application. If you are looking for a form of obfuscation to  
prevent people from reading your code directly, then that is  
accomplished by compiling the application itself. It won't completely  
protect the code, but it's not as if someone can read your source by  
some automatic listing. Even a flash decompiler will only be so  
useful, since some abstractions are hard to unroll when viewed from  
that low-level perspective.

	The age old question of "I want to give you something, but i dont  
want to give you that same thing" that is currently rampant in the  
entertainment industry is still as basically unsolvable as ever.  
Various hardware companies are trying to solve the problem using the  
(still vulnerable and somewhat ethically challenged) TPM "trusted  
computing" stuff that is a completely different conversation.

	Help at all? Good luck and keep poking around,
		- james

On May 18, 2008, at 9:20 PM, Jason Hall wrote:

> Hi,
>
> I'm new to openlaszlo and I want to know if developing a COTS  
> application (product to be used by others) how do I protect business  
> logic (on server-side) specifically and secondly protect client  
> logic.  Are the lzx files exposed locally on the client box  
> somewhere in the cache the anyone can see?
>
> Thanks,
>
> JH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkgx1vMACgkQUrPEkfL5s4sOowCfR+EstV2dQKKePW4NDi+bXEUe
sOIAn0w8c4xNYsg40MQtyFjvv8uKGYbb
=LZAD
-----END PGP SIGNATURE-----

More information about the Laszlo-user mailing list