Obfuscation of Spring Boot modules

Question

I wonder, is there a decent approach to obfuscate spring boot module's code?
Tried to use Pro Guard, but faced with need of spring to keep some fields names to be untouched in runtime (DTO for (de)serialization, DO entities for db columns linking, and so on).

Answer 1

One good possibility is too use ProGuard, it's is an open source most popular optimizer and obfuscator for Java byte code, quit simple to configure it, Create a file named “proguard.cfg” at the root level as your pom is located and add htis two plugin to you pom plugins.

<?xml version="1.0" encoding="UTF-8"?> 
<plugins>
<plugin>       
<groupId>com.github.wvengen</groupId>       
<artifactId>proguard-maven-plugin</artifactId>       <version>2.3.1</version>       
<executions>          
<execution>             
<phase>package</phase>             
<goals>                
<goal>proguard</goal>             
</goals>          
</execution>       
</executions>       
<configuration>          
<proguardVersion>6.0.3</proguardVersion>          <injar>${project.build.finalName}.jar</injar>          <outjar>${project.build.finalName}.jar</outjar>          <obfuscate>true</obfuscate>          <proguardInclude>${project.basedir}/proguard.cfg</proguardInclude>          <libs>             
<lib>${java.home}/lib/rt.jar</lib>             <lib>${java.home}/lib/jce.jar</lib>             <lib>${java.home}/lib/jsse.jar</lib>          
</libs>       
</configuration>       
<dependencies>          
<dependency>             
<groupId>net.sf.proguard</groupId>             
<artifactId>proguard-base</artifactId>             <version>6.0.3</version>          
</dependency>       
</dependencies>
</plugin>    
<plugin>       
<groupId>org.springframework.boot</groupId>       <artifactId>spring-boot-maven-plugin</artifactId>       
<executions>          
<execution>             
<goals>                
<goal>repackage</goal>             
</goals>             
<configuration>                <mainClass>com.jayk.springboot.proguard.obfuscationdemo.ObfuscationDemoApplication</mainClass>             
</configuration>          
</execution>       
</executions>    
</plugin> 
</plugins>

then add below configuration in your proguard.cfg

-target 1.8 ##Specify the java version number
-dontshrink ##Default is enabled, here the shrink is turned off, that is, the unused classes/members are not deleted.
-dontoptimize ##Default is enabled, here to turn off bytecode level optimization
-useuniqueclassmembernames ## Take a unique strategy for confusing the naming of class members
-adaptclassstrings ## After confusing the class name, replace it with a place like Class.forName('className')
-dontnote
-ignorewarnings ## warnings are ignored
-dontwarn
-keep public class * extends org.springframework.boot.web.support.SpringBootServletInitializer
-keepdirectories ## Keep the package structure
-keepclasseswithmembers public class * { public static void main(java.lang.String[]);} ##Maintain the class of the main method and its method name
-keepclassmembers enum * { *; }  ##Reserving enumeration members and methods
-keepclassmembers class * {
     @org.springframework.beans.factory.annotation.Autowired *;
     @org.springframework.beans.factory.annotation.Qualifier *;
     @org.springframework.beans.factory.annotation.Value *;
     @org.springframework.beans.factory.annotation.Required *;
     @org.springframework.context.annotation.Bean *;
     @org.springframework.context.annotation.Primary *;
     @org.springframework.boot.context.properties.ConfigurationProperties *;
     @org.springframework.boot.context.properties.EnableConfigurationProperties *;
     @javax.inject.Inject *;
     @javax.annotation.PostConstruct *;
     @javax.annotation.PreDestroy *;
}
-keep @org.springframework.cache.annotation.EnableCaching class *
-keep @org.springframework.context.annotation.Configuration class *
-keep @org.springframework.boot.context.properties.ConfigurationProperties class *
-keep @org.springframework.boot.autoconfigure.SpringBootApplication class *
-allowaccessmodification
-keepattributes *Annotation*
-keepdirectories com.jayk.springboot.proguard.obfuscationdemo
-keepdirectories org.springframework.boot.autoconfigure
## Do not change names of the getters and setter, if you remove this ##thymeleaf unable to find the getter and setter i.e: ##${greetingDTO.message}
-keepclassmembers class * {
    *** get*();
    void set*(***);
}
-keepclassmembernames class * {
     java.lang.Class class$(java.lang.String);
     java.lang.Class class$(java.lang.String, boolean);
}
-keepclassmembers enum * {
     public static **[] values();
     public static ** valueOf(java.lang.String);
     public static ** fromValue(java.lang.String);
}
-keepnames class * implements java.io.Serializable
-keepclassmembernames public class com.test.blah.config.liquibase.AsyncSpringLiquibase
-keepclassmembers class * implements java.io.Serializable {
     static final long serialVersionUID;
     private static final java.io.ObjectStreamField[] serialPersistentFields;
     !static !transient <fields>;
     !private <fields>;
     !private <methods>;
     private void writeObject(java.io.ObjectOutputStream);
     private void readObject(java.io.ObjectInputStream);
     java.lang.Object writeReplace();
     java.lang.Object readResolve();
}
-keepclassmembers class * {
     @org.springframework.beans.factory.annotation.Autowired <fields>;
     @org.springframework.beans.factory.annotation.Autowired <methods>;
     @org.springframework.security.access.prepost.PreAuthorize <methods>;
}

find more example in here .