Skip to main content

Obfuscating Spring Boot Projects Using Maven Proguard Plugin

Introduction

Obfuscation is the act of reorganizing bytecode such that it becomes hard to decompile. Many developers rely on obfuscation to save their sensitive code from undesired eyes. Publishing jars without obfuscation may hinder competitiveness because rivals may take advantage of easily decompilable nature of java binaries.

Objective

Spring Boot applications make use of public interfaces, annotations which makes applications harder to obfuscate. Additionally, maven Spring Boot plugin creates a fat jar which contains all dependent jars. It is not viable to obfuscate the whole fat jar. Thus obfuscating Spring Boot applications is different than obfuscating regular java applications and requires a suitable strategy.

Audience

Those who use Spring Boot and Maven and wish to obfuscate their application using Proguard are the target audience for this article.

Sample Application

As the sample application, I will use elastic search synch application from my GitHub repository.

https://github.com/habanoz/essync/

Only the rest module uses obfuscation. The rest module simply creates an elastic search instance and provides a rest interface to let clients access the elastic search repository. Spring Boot uses embedded tomcat to launch the application.

Obfuscation Details

Regarding obfuscation on a Spring Boot application, the first caveat is to leave the information which is necessary for spring framework intact. Spring requires annotations, interfaces and attribute names. That information is not only necessary for spring runtime but also important for other enterprise frameworks such as hibernate.

Proguard can be configured to leave required information untouched. A proguard.cfg file can be used to configure Proguard. Luckily, Proguard has a maven plugin which makes using Proguard with maven applications a breeze. Maven plugin can be used to configure the Proguard by using option tags.

Look at the configuration excerpt from the module pom and check the options. Note that main class is opted out from obfuscation. "donotshrink" and "donotoptimize" options are not necessary, however, use with care is advised.

The second caveat is to run the obfuscation before the fat jar is created. To achieve this, spring boot maven plugin is added after the Proguard plugin. Execution goal should be set to repackage because the plugin should repackage the project jar to create a fat jar.  Also, note that it is necessary that injar and outjar values of the Proguard plugin be the same so that spring boot plugin repackages the obfuscated jar.

Discussion

In my opinion, spring applications should be designed keeping obfuscation in mind. Obfuscation on spring applications requires a correct configuration which may not be very easy to set up. A proper configuration may require some part of the code is not obfuscated thus hinders gains from the obfuscation process.

It is a good practice to decouple obfuscation critic code from spring dependencies or other enterprise frameworks. This way sensitive code sections can easily be obfuscated.

Conclusion

Obfuscation should be applied with great care. Also, it is important to design applications keeping the obfuscation process in mind.

Labels:

Comments

  1. UnknownMarch 3, 2019 at 12:50 PM

    I've got a great guide on spring boot interview questions which can be found here

    ReplyDelete
  2. AkashJanuary 19, 2022 at 5:01 AM

    This blog Contains more useful information, keep sharing your thoughts like this...
    Excel Training in Chennai
    Advanced Excel Training Online

    ReplyDelete
  3. NiyazJanuary 20, 2022 at 3:15 AM

    Great post!!! Thanks for sharing this wonderful blog with us...
    Step By Step SEO Guide
    Learn SEO Step By Step

    ReplyDelete
  4. JohnFebruary 4, 2022 at 3:35 AM


    This blog contains more valuable information, thanks for this blog...
    Linux Course in Chennai
    Learn Linux Online

    ReplyDelete

Post a Comment

Popular posts from this blog

Hadoop Installation Document - Standalone Mode

This document shows my experience on following apache document titled “Hadoop:Setting up a Single Node Cluster”[1] which is for Hadoop version 3.0.0-Alpha2 [2]. A. Prepare the guest environment Install VirtualBox. Create a virtual 64 bit Linux machine. Name it “ubuntul_hadoop_master”. Give it 500MB memory. Create a VMDK disc which is dynamically allocated up to 30GB. In network settings in first tab you should see Adapter 1 enabled and attached to “NAT”. In second table enable adapter 2 and attach to “Host Only Adaptor”. First adapter is required for internet connection. Second one is required for letting outside connect to a guest service. In storage settings, attach a Linux iso file to IDE channel. Use any distribution you like. Because of small installation size, I choose minimal Ubuntu iso [1]. In package selection menu, I only left standard packages selected.  Login to system.  Setup JDK. $ sudo apt-get install openjdk-8-jdk Install ssh and pdsh, if not already i
3 comments
Read more

Java: Cost of Volatile Variables

Introduction Use of volatile variables is common among Java developers as a way of implicit synchronization. JIT compilers may reorder program execution to increase performance. Java memory model[1] constraints reordering of volatile variables. Thus volatile variable access should has a cost which is different than a non-volatile variable access. This article will not discuss technical details on use of volatile variables. Performance impact of volatile variables is explored by using a test application. Objective Exploring volatile variable costs and comparing with alternative approaches. Audience This article is written for developers who seek to have a view about cost of volatile variables. Test Configuration Test application runs read and write actions on java variables. A non volatile primitive integer, a volatile primitive integer and an AtomicInteger is tested. Non-volatile primitive integer access is controlled with ReentrantLock and ReentrantReadWriteLock  to compa
Post a Comment
Read more