You guys have a lot of work ahead of you if you expect to get anywhere.
1) Don't include the .java source files. You have no idea how much power you give anyone that downloads your client with those files...
2) JAR your client. Refer to #1, but this way the client can be ran as a "click once" application. A.K.A: You click the .jar and it runs. I had to edit the run.bat to allow the client to run.
3) Don't use a forum builder. Go get a free website from like 000webhost or x10hosting and then download SMF from simplemachines, then install it.
4) You sent out the client that has the server set to localhost (127.0.0.1)
No matter what client you give them, they have the same power. Anyone can easily unpackage a .jar file and decompile the class files. Even using a webclient, any player can use wget to get the .jar. Or even just inspect element if they host it on the website.
I understand that.
But there's a huge difference in giving people the source files, than using a decompiler to get the files.
can edit the source files. However, it takes a slight bit more knowledge to decompile the files. And that assumes the decompiler you used worked correctly. That also assumes that you won't have to do any major renaming because the person didn't obfuscate it. If they did obfuscate it, the greater portion of "average RSPS users" will not know what to do with a bunch of class files named "A.class, B.class, etc".
There is no way to guarantee your client from protection. It can always be deobfuscated, decompiled, whatever. Adding these extra steps just makes it take longer, and makes it harder for the average person to do. Therefore giving a person some form of security.
I can take any client that provides the source files, and edit it (in under 2 minutes) to allow me to noclip, and it won't send the noclip command to the server. I can also modify my rights client sided (Doesn't really matter), spawn objects client sided (Servers without server sided checks won't recognize these are "false objects" therefore letting me interact with them) and a thousand other huge holes.
Long story short: Jar your client, and for an added layer of security, obfuscate it.