obfuscate Javascript in Java and jsp files

[Christine Mayer]

Hi,

I am looking for a good javascript obfuscator - I found several on the
web, but I am looking for one that can also handle javascript in jsp,
html and java files - so I need a javascript obfuscator that handles
my entire java project.

Is there anything like that, preferable as a Eclipse plugin?

Thanks,

Christine

 

[Andrew Thompson]

Christine Mayer wrote:
....

I am looking for a good javascript obfuscator - I found several on the
web, but I am looking for one that can also handle javascript in jsp,
html and java files - so I need a javascript obfuscator that handles
my entire java project.

Is there anything like that, preferable as a Eclipse plugin?

BwAHHH, AH, hah harr..

...You're joking, right?

<if not>
*Obfuscate* JS? Are you on drugs?!

What is that supposed* to achieve?

* No it won't achieve anything of value to the deployer,
but it would probably be amusing to hear what you
*think* that might achieve... ;-)
</if not>

 

[Lew]

Christine Mayer wrote:
....

BwAHHH, AH, hah harr..

...You're joking, right?

<if not>
*Obfuscate* JS? Are you on drugs?!

What is that supposed* to achieve?

* No it won't achieve anything of value to the deployer,
but it would probably be amusing to hear what you
*think* that might achieve... ;-)
</if not>

Christine, underneath Andrew's caustic delivery beats a mentor's heart.

The question, rephrased to preserve ego, of what goal you aim to accomplish
(strategy) is important, compared to your stated question of what technique
(tactic) you currently plan to use to achieve that goal.

Obfuscating Javascript is a tactic, albeit a useless one, in service of a
larger purpose. What is your purpose?

Since Javascript is interpreted by the browser (or other client agent), it
must appear in source form from the server. The source could perhaps be
obfuscated slightly by silly tricks such as garbled identifiers, but keywords
and data cannot be, and DOM nodes must match what's in your HTML. It is hard
to conceive of any Javascript "obfuscation" that would obscure more than an
insignificant portion of the code, and even harder to conceive of any useful
purpose for doing so.

 

[Christine Mayer]

Well,

plain simple, for 2 reasons:

a) performance

if(a==b)c=d;

uses less characters and thus uses less traffic and thus is faster
then
if(myNiceLittleVariable == myNiceLittleOtherVariable) {
myNiceLittleOtherVariable2 = myNiceLittleOtherVariable3;
}

b) Making it at least HARDER to understand the code on the client side
(political reasons...)
For this reason, my team is currently using very short variable names
and they obfuscate the code by writting it stupidly, but I would
prefer to be able to understand the code myself, so I need to find a
way to make them write proper Javascript code every programmer can
easily understand. If I had such an obfuscator, they would still end
up with silly functions like "if(a==b)c=d;" but I could refactor
the code to make it more understandable.

 

[Andrew Thompson]

b) Making it at least HARDER to understand the code on the client side
(political reasons...)

I am suddenly 'right there with you' when you mention
'political reasons'.

I hope you fought long and hard against them, and warned
the deployers/owners of this system that they should really
remove their hands from their genitals* long enough to think
about what they are requesting/demanding.

* Intended, with all due, or undue (depending on your
perspective), sarcasm. Tell them, from me, (should you
dare) that they are a bunch of clueless wankers that
should *hire* a clue (presuming they are not prepared to
trust the judgement of an apparently quite sensible
developer, yeah, *you*, who advises differently).

OK.. I realise this reply has not exactly progresssed
the thechnical point. Just had to get that out of my
system.

Having said that, there are any number of tools can
be used to turn common JS into 'onbfuscated' JS -
try a search on 'obfuscate JS' or 'obfuscate javascript'
and you will probably see some useful tools.

These tools do not *prevent* people from reverse
engineering JS, but thay can make it so difficult that
it is easier and quicker to write the JS fresh, than
'interpret' the obfuscated JS

(Note that all this applies almost equally as well,
to Java bytecodes, which are *almost* as easy to
'reverse engineer' as 'any old' JS.)

..and did I mention that whoever specifies this
system, is a wanker? (just checking..)

--
Andrew Thompson
http://www.athompson.info/andrew/

Message posted via JavaKB.com
http://www.javakb.com/Uwe/Forums.aspx/java-general/200708/1

 

[Christine Mayer]

Well, I am always fighting as good and hard as I can, but beeing the
"new guy", sometimes you just have to accept certain things...

However, your reply didnt' really help here - I know there are tons of
obfuscators, the problem is I need one that obfuscates not only the
javascript itself, but also all the javascript code in my jsp and Java
files - otherwise the code wouldn't be working anymore!

Example:

MyJavaScriptFileObfuscated.js

var a = 23; // this is myNiceLittleOtherVariable2

MyJsp.jsp:

<javascript>

myNiceLittleOtherVariable2 = 42;

</javascript>

My NiceLittleJavaFile.java

write("<html><head></head><body>myNiceLittleOtherVariable2 = 42;");

So if I obfuscated "myNiceLittleOtherVariable2" to "a" in my
javascript files, all other files (Java, Jsp...)
would still try to access "myNiceLittleOtherVariable2" and this would
fail.


P.s.: Please don't tell me not to write html from Java files or to use
inline javascript in JSP files, thats another political reason...

 

[Andrew Thompson]

Christine Mayer wrote:
...

P.s.: Please don't tell me not to write html from Java files or to use
inline javascript in JSP files, thats another political reason...

OK.. I won't, but I will add that I know of no
solution to the technical side of the problem
as you have outlined it.

Perhaps the comp.lang.javascript gurus can help
you further, but it might help to ..pretend, that all this
was happening in pure HTML, and leave mention of
JSP out of it.

I do not mean that in sarcasm (quite contrary to the
tone of most of my replies to this thread). It is just
that everything that can work (or fail) in JS in a JSP,
will work (or fail) equally as well in plain old HTML,
and the JS afficionados often demand you validate
the HTML* before they will take you seriously (with
any examples).

* They don't care if it is generated by JSP, ASP
or PHP. All that is important is the HTML that is
written to the browser.