Java Code Obfuscation with ProGuard: Configuration and Maven Integration
This article explains how to protect Java applications from reverse engineering by using ProGuard for code obfuscation, detailing the creation of a proguard.cfg file, Maven plugin configuration, and the build process to generate an obfuscated JAR.
Compilation
Compilation simply runs the code, turning .java files into .class files.
Decompilation
Decompilation reverses compiled .class files in a jar/war package back to readable source code, often using tools like JD-GUI.
Obfuscation
Obfuscation is a technique to make decompiled code unreadable, providing a layer of protection.
Main Content
The process consists of two steps.
Step 1: Create proguard.cfg
Add a proguard.cfg file in the project root with the following options:
# Specify Java version
-target 1.8
# Disable shrinking
-dontshrink
# Disable optimization
-dontoptimize
# Do not use mixed‑case class names
-dontusemixedcaseclassnames
# Use unique class member names
-useuniqueclassmembernames
# Adapt class strings for Class.forName
-adaptclassstrings
# Keep attributes for exceptions, annotations, etc.
-keepattributes Exceptions,InnerClasses,Signature,Deprecated,SourceFile,LineNumberTable,*Annotation*,EnclosingMethod
# Keep interface names
-keepnames interface ** { *; }
# Keep parameter names
-keepparameternames
# Keep enum members
-keepclassmembers enum * { *; }
# Keep Spring annotations and beans
-keepclassmembers class * {
@org.springframework.context.annotation.Bean *;
@org.springframework.beans.factory.annotation.Autowired *;
@org.springframework.beans.factory.annotation.Value *;
@org.springframework.stereotype.Service *;
@org.springframework.stereotype.Component *;
}
# Ignore warnings and notes
-ignorewarnings
-dontnote
# Print configuration
-printconfiguration
-keep public class com.example.myproguarddemo.MyproguarddemoApplication {
public static void main(java.lang.String[]);
}Additional notes and comments in the file explain which classes or members to exclude from obfuscation.
Step 2: Add ProGuard Maven Plugin to pom.xml
Insert the following plugin configuration inside the <build> section:
<build>
<plugins>
<plugin>
<groupId>com.github.wvengen</groupId>
<artifactId>proguard-maven-plugin</artifactId>
<version>2.6.0</version>
<executions>
<!-- Executes ProGuard during the package phase -->
<execution>
<phase>package</phase>
<goals>
<goal>proguard</goal>
</goals>
</execution>
</executions>
<configuration>
<!-- Input JAR (original) -->
<injar>${project.build.finalName}.jar</injar>
<!-- Output JAR (obfuscated) -->
<outjar>${project.build.finalName}.jar</outjar>
<obfuscate>true</obfuscate>
<proguardInclude>${project.basedir}/proguard.cfg</proguardInclude>
<libs>
<lib>${java.home}/lib/rt.jar</lib>
<lib>${java.home}/lib/jce.jar</lib>
<lib>${java.home}/lib/jsse.jar</lib>
</libs>
<inLibsFilter>!META-INF/**,!META-INF/versions/9/**.class</inLibsFilter>
<outputDirectory>${project.basedir}/target</outputDirectory>
<options>
<!-- Additional ProGuard options can be placed here or in proguard.cfg -->
</options>
</configuration>
</plugin>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<executions>
<execution>
<goals>
<goal>repackage</goal>
</goals>
<configuration>
<mainClass>com.example.myproguarddemo.MyproguarddemoApplication</mainClass>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>After configuring, run mvn package ; Maven will compile, apply ProGuard, and produce an obfuscated JAR, which can be verified by inspecting the output.
Conclusion
The tutorial demonstrates how to set up ProGuard for Java code obfuscation, ensuring that decompiled output does not reveal the original source.
Code Ape Tech Column
Former Ant Group P8 engineer, pure technologist, sharing full‑stack Java, job interview and career advice through a column. Site: java-family.cn
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.