How to Secure Your SpringBoot Application from Decompilation with ClassFinal

Scenario

A project needs to be deployed on a third‑party server without exposing source code, requiring the production startup package to be secured against decompilation tools.

Solution

First option: code obfuscation using proguard-maven-plugin . This works for single‑module projects but becomes complex in multi‑module setups.

Second option: code encryption using classfinal-maven-plugin . This approach is simpler, encrypts source files, configuration files, and dependencies, and supports machine‑binding so the encrypted project runs only on specified machines.

Project Operation

Add the following plugins to the

pom.xml

of the SpringBoot startup module, placing the ClassFinal plugin after the

spring-boot-maven-plugin

:

<code>&lt;build&gt;
    &lt;plugins&gt;
        &lt;plugin&gt;
            &lt;groupId&gt;org.springframework.boot&lt;/groupId&gt;
            &lt;artifactId&gt;spring-boot-maven-plugin&lt;/artifactId&gt;
        &lt;/plugin&gt;
        &lt;plugin&gt;
            &lt;!-- Encryption plugin --&gt;
            &lt;groupId&gt;net.roseboy&lt;/groupId&gt;
            &lt;artifactId&gt;classfinal-maven-plugin&lt;/artifactId&gt;
            &lt;version&gt;1.2.1&lt;/version&gt;
            &lt;configuration&gt;
                &lt;password&gt;#&lt;/password&gt; <!-- No password needed at startup -->
                &lt;excludes&gt;org.spring&lt;/excludes&gt;
                &lt;packages&gt;${groupId}&lt;/packages&gt;
                &lt;cfgfiles&gt;application.yml,application-dev.yml&lt;/cfgfiles&gt;
                &lt;libjars&gt;hutool-all.jar&lt;/libjars&gt;
                &lt;code&gt;xxxx&lt;/code&gt; <!-- Machine code for binding -->
            &lt;/configuration&gt;
            &lt;executions&gt;
                &lt;execution&gt;
                    &lt;phase&gt;package&lt;/phase&gt;
                    &lt;goals&gt;
                        &lt;goal&gt;classFinal&lt;/goal&gt;
                    &lt;/goals&gt;
                &lt;/execution&gt;
            &lt;/executions&gt;
        &lt;/plugin&gt;
    &lt;/plugins&gt;
&lt;/build&gt;</code>

Startup Methods

No‑Password Startup

java -javaagent:xxx-encrypted.jar -jar xxx-encrypted.jar

Password‑Protected Startup

java -javaagent:xxx-encrypted.jar='-pwd=密码' -jar xxx-encrypted.jar

Decompilation Effect

After encryption, method bodies are cleared while retaining parameters and annotations, allowing Swagger documentation to work. Decompilation only reveals method signatures and annotations, not the actual implementation. Decryption occurs entirely in memory during startup, leaving no decrypted files on disk.

YAML configuration files appear blank after encryption.

Machine‑Binding Startup

Download

classfinal-fatjar-1.2.1.jar

and generate a machine code:

java -jar classfinal-fatjar-1.2.1.jar -C

Insert the generated machine code into the

<code>

element of the plugin configuration; the packaged project will then run only on that specific machine.