Protecting your XPages Application

One of the hallmarks and success factors of IBM Notes was the openness of the design of all Notes applications. Since lots of people put blood, sweat and tears into their applications, Lotus added the possibility to hide the design of an application to protect it from spying eyes. While I don't like hidden designs I can understand the rationale.
Others keep their design open, but compile the LotusScript libraries with references to lss files outside, so the core business logic is protected.
Hiding the design doesn't work for XPages, you can poke around and get back to the source. So what are your options?

Keep your business logic in Java classes (Pojo, Beans, Managed Beans) and develop them outside of the NSF and transfer them as jar file only
Deliver your custom controls as Extension Library (which can be deployed using an NSF) - which obviously requires advanced Skills
Keep your XPages lean and handle the delicate parts in custom controls that you hide (see below)

Of course compiled Java can be transformed back to Java source code, so you might want to add another layer using Java obfuscation, but then you might have crossed the line between precaution and paranoia (to my best knowledge IBM doesn't use obfuscation in Java products). An additional level of protection is offered using Refuctoring (no, that's not a typo).
So how would a typical workflow look like? There seem to be quite some moving parts involved:
Protecting XPages Workflow

Develop and test your application as per normal. Keep items you want to protect in custom controls and Java classes
Make sure you have your project build before doing the next steps
Link your database to an On Disk Project for version control (but you do that anyway don't you?). Let's call that project "OnDisk Open"
Have your target database (the one that you will deliver to your customer) setup in a similar way. Let's call that project "OnDisk Closed"
Copy all elements you want to keep open (Forms, Views, XPages, CSS etc.) from OnDisk Open to OnDisk Closed
Copy your Java source files and the generated Java source files for your custom controls (found in the Local directory, actually outside the NSF) in OnDisk Open to a src structure. Custom controls live in the xsp package. Your code lives in your packages
Compile your Java
Put all the compiled classes into a jar
Copy that jar into the /WebContent/WEB-INF/lib folder of the OnDisk Closed project. At the first time: add this jar to the classpath of your closed.nsf after sync with the OnDisk Closed project
Copy the .xsp-config files of the custom controls you processed in the previous 4 steps into the /WebContent/WEB-INF/ directory (the same directory your faces-config.xml is living in)
Sync the OnDisk Closed project with closed.nsf
Build your closed.nsf - done

With a little skill those steps can be automated.Enter Apache ANT. Ant can copy, compile, stuff in Jar, update properties files etc. There are pointers to consider when using ANT in a Domino project:

ANT is unaware of the EFS (Eclipse Virtual File System), it acts on regular files only, so your operations need to run against the OnDisk projects rather the NSF directly
The Java compile command is unaware of Eclipse and its classpath too. You need to specify that. Is is easier than it looks. Use the Navigator view to locate the build.properties file, right click on it, select PDETools - Create ANT build file. It will create a build.xml you can use for starters. The piece you are interested in is <path id="Plug-in Dependencies.libraryclasspath">. You need to add that to your compile classpath together with your bin directory in a statement like this:
<path id="YourBeans.classpath"><pathelement location="bin" /><path refid="Plug-in Dependencies.libraryclasspath" /></path>
Configure your Domino Designer to automatically pick up changes from the file system. File - Preferences - Workspace - Refresh automatically
While you are on it, generate your JavaDocs too

A complete ANT build script could look like this (I took out the content of Plug-in Dependencies.libraryclasspath):

<?xml version="1.0"?>
<project name="Protect XPages" default="main" basedir=".">


<property name="src.dir" location="src" />
<property name="build.dir" location="bin" />
<property name="docs.dir" location="doc" />
<property name="closed.project.dir" location="C:\ondisk\closed" />

<path id="Plug-in Dependencies.libraryclasspath">
...
</path>

<path id="YourBeans.classpath">
<pathelement location="bin" />
<path refid="Plug-in Dependencies.libraryclasspath" />
</path>

<path id="JavaDoc.classpath">
<pathelement location="bin" />
<path refid="Plug-in Dependencies.libraryclasspath" />
</path>


<target name="compile">
<javac srcdir="${src.dir}" destdir="${build.dir}">
<classpath refid="YourBeans.classpath" />
</javac>
</target>


<target name="docs" depends="compile">
<javadoc packagenames="src" sourcepath="${src.dir}" destdir="${docs.dir}">
<classpath refid="JavaDoc.classpath" />

<fileset dir="${src.dir}">
<include name="**/*.java"/>
</fileset>
</javadoc>
</target>


<target name="jar" depends="compile">
<jar destfile="${closed.project.dir}/WebContent/WEB-INF/lib/YourBeans.jar">
<fileset dir="${build.dir}" />
<manifest>
<attribute name="Main-Class" value="com.notessensei.Test" />
</manifest>
</jar>
</target>


<target name="copy">
<copy todir="${src.dir}">
<fileset dir="Local">

<include name="**/cc*.java"/>
</fileset>
</copy>
<copy todir="${closed.project.dir}/WebContent/WEB-INF">
<fileset dir="CustomControls">
<include name="**/*.xsp-config"/>
</fileset>
</copy>

...
</target>

<target name="main" depends="copy, compile, docs, jar">
<description>Do it all </description>
</target>
</project>

You can run this ANT file, by right clicking on in in Domino Designer selecting "Run as ANT file".
As usual YMMV

Posted by Stephan H Wissel on 24 July 2013 | Comments (4) | categories: XPages

posted by Paul Withers on Wednesday 24 July 2013 AD:
It confused me when I tried to create the build.xml but couldn't see it in Designer. I right-clicked the build.properties in the NSF version (it wasn't in the on disk project), selected PDE Tools - Create ANT build file, but couldn't see it in Designer. But I found it in the local files on my PC, in <Data>\workspace\myServerName\myNSF.nsf folder.

I managed to create one that was visible in designer by right-clicking the project, selecting Export - Ant Buildfiles and selecting the defaults.

posted by Egor Margineanu on Friday 26 July 2013 AD:
Interesting. This opens the possibility to use Continous Integration tools (hudson/jenkins). At least some part of it.

posted by Stefan Zehnder on Monday 29 September 2014 AD:
Thirst of all, thanks for the great idea, this is exactly what we need for our project.
But unfortunately, I was not able to make it work. When I try to run an xPage I'm getting the error "HTTP Code: 500 javax.servlet.ServletException: java.lang.Error: Resource not found for setting access rights". It seems that something is still missing. The compiled class for the Custom Control is in the Jar. The Jar is readable by in the Designer, included in the build path and in the lib folder. The "xsp-config" file is also in the "Web-Inf" folder. I'm not sure if it is the Jar that can’t be found or maybe the “composite-file” property in the xsp-config file points to the wrong file or class. If you have any ideas what is going wrong, I would appreciate the input.

posted by Pornthep Suwantanapanich on Saturday 26 September 2015 AD:
Dear Mr. Stefan Zehnder,

I encountered same as yours. Did you fix it.