How to Obfuscate Spring Boot Code to Prevent Decompilation

This guide explains how to protect a Spring Boot application from reverse engineering by configuring ProGuard to obfuscate compiled class files, adding the necessary Maven plugin settings, and verifying the resulting obfuscated JAR.

Shepherd Advanced Notes
Shepherd Advanced Notes
Shepherd Advanced Notes
How to Obfuscate Spring Boot Code to Prevent Decompilation

Compilation

Source .java files are compiled into .class files, which are then packaged into a JAR or WAR.

Decompilation

Tools such as JD‑GUI can read the compiled JAR and reconstruct readable source code, exposing the implementation.

Obfuscation

ProGuard is used to transform the bytecode so that decompiled output no longer reflects the original source.

Step 1: Create proguard.cfg

# Specify Java version
-target 1.8
# Disable shrinking (removing unused code)
-dontshrink
# Disable bytecode optimization
-dontoptimize
# Do not generate mixed‑case class names
-dontusemixedcaseclassnames
# Use unique names for class members
-useuniqueclassmembernames
# Adapt class strings for reflection
-adaptclassstrings
# Keep important attributes
-keepattributes Exceptions,InnerClasses,Signature,Deprecated,SourceFile,LineNumberTable,*Annotation*,EnclosingMethod
# Preserve interface names
-keepnames interface ** { *; }
# Keep parameter names for Spring MVC, MyBatis, etc.
-keepparameternames
# Keep enum members and methods
-keepclassmembers enum * { *; }
# Keep Spring beans, autowired fields, @Value, @Service, @Component
-keepclassmembers class * {
    @org.springframework.context.annotation.Bean *;
    @org.springframework.beans.factory.annotation.Autowired *;
    @org.springframework.beans.factory.annotation.Value *;
    @org.springframework.stereotype.Service *;
    @org.springframework.stereotype.Component *;
}
# Suppress warnings and notes
-ignorewarnings
-dontnote
# Print configuration for debugging
-printconfiguration
-keep public class com.example.myproguarddemo.MyproguarddemoApplication {
    public static void main(java.lang.String[]);
}

Comments in the file indicate which classes, enums, and annotations should be excluded from obfuscation.

Step 2: Add ProGuard Maven plugin to pom.xml

<build>
    <plugins>
        <plugin>
            <groupId>com.github.wvengen</groupId>
            <artifactId>proguard-maven-plugin</artifactId>
            <version>2.6.0</version>
            <executions>
                <execution>
                    <phase>package</phase>
                    <goals>
                        <goal>proguard</goal>
                    </goals>
                </execution>
            </executions>
            <configuration>
                <injar>${project.build.finalName}.jar</injar>
                <outjar>${project.build.finalName}.jar</outjar>
                <obfuscate>true</obfuscate>
                <proguardInclude>${project.basedir}/proguard.cfg</proguardInclude>
                <libs>
                    <lib>${java.home}/lib/rt.jar</lib>
                    <lib>${java.home}/lib/jce.jar</lib>
                    <lib>${java.home}/lib/jsse.jar</lib>
                </libs>
                <inLibsFilter>!META-INF/**,!META-INF/versions/9/**.class</inLibsFilter>
                <outputDirectory>${project.basedir}/target</outputDirectory>
                <options>
                    <!-- additional ProGuard options can be placed here -->
                </options>
            </configuration>
        </plugin>
        <plugin>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-maven-plugin</artifactId>
            <executions>
                <execution>
                    <goals>
                        <goal>repackage</goal>
                    </goals>
                    <configuration>
                        <mainClass>com.example.myproguarddemo.MyproguarddemoApplication</mainClass>
                    </configuration>
                </execution>
            </executions>
        </plugin>
    </plugins>
</build>

Key points: the plugin runs during the package phase, takes the original JAR as input, applies ProGuard according to proguard.cfg, and overwrites the JAR with the obfuscated version.

Build and Verify

Running mvn package executes the normal compilation, then ProGuard obfuscates the bytecode. The generated JAR can be inspected; decompiling it with JD‑GUI shows mangled class and method names, confirming that the original source is hidden.

The tutorial concludes after demonstrating the successful creation of an obfuscated Spring Boot JAR.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

JavaMavenSpring Bootsecuritycode-obfuscationproguard
Shepherd Advanced Notes
Written by

Shepherd Advanced Notes

Dedicated to sharing advanced Java technical insights, daily work snippets, and the power of persistent effort.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.