Why Spring Fails to Load Encrypted @Component Classes and How It Scans Bytecode

Java developers often use Spring, but many are unaware of a subtle issue when a @Component class is encrypted.

A friend encountered a problem where an implementation class HelloServiceImpl was compiled, then encrypted and packaged into a jar. The class was annotated with @Component and placed in package com.xx.yy, which was added to @ComponentScan in a Spring Boot application.

The application was started with a native agent:

java -jar -agentpath:/usr/lib/xxdecrypt.so demo.jar

The encrypted class could not be loaded, resulting in a startup error similar to:

org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/sample/demo.jar!/com/xx/yy/HelloServiceImpl.class]; nested exception is java.lang.ArrayIndexOutOfBoundsException: 15467 ...

The root cause is that Spring’s classpath scanning does not load each class with the JVM. Instead, it reads the class file as a byte array and uses ASM’s ClassReader to parse metadata. Because the bytecode is encrypted, new ClassReader(is) throws an exception, leading to the ArrayIndexOutOfBoundsException.

Therefore, the failure occurs either because the encrypted bytecode is malformed or because the scanning process bypasses the native agent that would decrypt the class.

Key Spring source excerpt:

SimpleMetadataReader(Resource resource, ClassLoader classLoader) throws IOException {
    InputStream is = new BufferedInputStream(resource.getInputStream());
    ClassReader classReader;
    try {
        classReader = new ClassReader(is);
    } catch (IllegalArgumentException ex) {
        throw new NestedIOException("ASM ClassReader failed to parse class file - probably due to a new Java class file version that isn\'t supported yet: " + resource, ex);
    } finally {
        is.close();
    }
    AnnotationMetadataReadingVisitor visitor = new AnnotationMetadataReadingVisitor(classLoader);
    classReader.accept(visitor, ClassReader.SKIP_DEBUG);
    this.annotationMetadata = visitor;
    this.classMetadata = visitor;
    this.resource = resource;
}

Understanding that Spring scans bytecode without loading the class explains why encrypted @Component classes cause startup errors, and points to the need for proper decryption during the scanning phase.