Secure Spring Boot Deployments with ClassFinal: Code Encryption & Machine‑Bound Launch
This guide explains how to protect Spring Boot production packages from decompilation by using the ClassFinal Maven plugin for code encryption, configuring machine‑bound startup, and comparing it with ProGuard obfuscation, including detailed plugin setup, launch commands, and observed decompilation results.
1 Scenario
Recent project requires deploying to a client’s server without exposing source code; the production package must be secured to prevent decompilation.
Based on Spring Boot + MyBatis Plus + Vue & Element, a backend management system with RBAC, multi‑tenant, data permissions, workflow, third‑party login, payment, SMS, e‑commerce, etc. Project address: https://github.com/YunaiV/ruoyi-vue-pro Video tutorial: https://doc.iocoder.cn/video/
2 Solutions
First solution: code obfuscation using proguard-maven-plugin.
Simple for single‑module projects, but complex for multi‑module setups due to configuration difficulty and risk of errors.
Second solution: code encryption using classfinal-maven-plugin.
This approach encrypts source code, yml/properties files, and dependent jars, and supports machine‑bound startup, allowing the encrypted project to run only on specified machines.
ClassFinal project source [1]
Based on Spring Cloud Alibaba + Gateway + Nacos + RocketMQ + Vue & Element, a backend system with similar features. Project address: https://github.com/YunaiV/yudao-cloud Video tutorial: https://doc.iocoder.cn/video/
3 Project Operation
Add the following plugin configuration to the pom.xml of the startup module, placing it after the spring-boot-maven-plugin.
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<!-- Encryption plugin configuration -->
<groupId>net.roseboy</groupId>
<artifactId>classfinal-maven-plugin</artifactId>
<version>1.2.1</version>
<configuration>
<password>#</password>
<excludes>org.spring</excludes>
<packages>${groupId}</packages>
<cfgfiles>application.yml,application-dev.yml</cfgfiles>
<libjars>hutool-all.jar</libjars>
<code>xxxx</code>
</configuration>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>classFinal</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>4 Startup Methods
Without password:
java -javaagent:xxx-encrypted.jar -jar xxx-encrypted.jarWith password:
java -javaagent:xxx-encrypted.jar='-pwd=密码' -jar xxx-encrypted.jar5 Decompilation Effect
After encryption, method bodies are cleared while parameters and annotations remain, ensuring compatibility with Swagger documentation scanning.
Decompiled code shows only method names and annotations, not the actual implementation.
During startup, classes are decrypted entirely in memory, leaving no decrypted files on disk.
YML configuration files become blank.
6 Machine‑Bound Startup
Download classfinal-fatjar-1.2.1.jar and run: java -jar classfinal-fatjar-1.2.1.jar -C This generates a machine code, which should be placed into the code field of the Maven plugin configuration, restricting the packaged project to run only on that machine.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Open Source Linux
Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.