BestHub
search
Sign in
Information Security 6 min read

Protecting Spring Boot Applications with Classfinal Maven Plugin: Code Encryption and Machine‑Bound Execution

This article explains how to secure Spring Boot deployment packages by using Maven plugins for code obfuscation and encryption, configuring classfinal‑maven‑plugin to encrypt class files, configuration files, and libraries, and demonstrates password‑less and password‑protected startup as well as machine‑bound execution to prevent reverse engineering.

Java Architect Essentials
Java Architect Essentials
Java Architect Essentials
Protecting Spring Boot Applications with Classfinal Maven Plugin: Code Encryption and Machine‑Bound Execution

Scenario: A project needs to be deployed on a client’s server without exposing source code, requiring the production startup package to be protected against decompilation.

Solution Overview:

First approach – code obfuscation : Use proguard-maven-plugin , which works for single‑module projects but becomes complex in multi‑module setups due to intricate configuration and potential errors.

Second approach – code encryption : Use classfinal-maven-plugin , which simplifies protection by encrypting class files, YAML/properties files, and dependent JARs, and supports machine‑bound execution.

Project Setup: Add the following plugin configuration to the pom.xml after the spring-boot-maven-plugin section:

<build>
    <plugins>
        <plugin>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-maven-plugin</artifactId>
        </plugin>
        <plugin>
            <!-- classfinal-maven-plugin configuration -->
            <groupId>net.roseboy</groupId>
            <artifactId>classfinal-maven-plugin</artifactId>
            <version>1.2.1</version>
            <configuration>
                <password>#</password>
<excludes>org.spring</excludes>
                <packages>${groupId}</packages>
<cfgfiles>application.yml,application-dev.yml</cfgfiles>
                <libjars>hutool-all.jar</libjars>
                <code>xxxx</code>
</configuration>
            <executions>
                <execution>
                    <phase>package</phase>
                    <goals>
                        <goal>classFinal</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>
    </plugins>
</build>

Startup Methods:

No‑password start : java -javaagent:xxx-encrypted.jar -jar xxx-encrypted.jar

Password‑protected start : java -javaagent:xxx-encrypted.jar='-pwd=密码' -jar xxx-encrypted.jar

Decompilation Effect: After encryption, method bodies are cleared while parameters and annotations remain, allowing Swagger documentation to work; decompiled code shows only method signatures and annotations, with no method implementation, and decryption occurs entirely in memory without leaving files.

Machine‑Bound Execution: Download classfinal-fatjar-1.2.1.jar , run java -jar classfinal-fatjar-1.2.1.jar -C to generate a machine code, then place that code into the plugin’s code element so the packaged JAR can run only on that specific machine.

JavamavenSpring Bootinformation securityClassFinalcode encryption
Java Architect Essentials
Written by

Java Architect Essentials

Committed to sharing quality articles and tutorials to help Java programmers progress from junior to mid-level to senior architect. We curate high-quality learning resources, interview questions, videos, and projects from across the internet to help you systematically improve your Java architecture skills. Follow and reply '1024' to get Java programming resources. Learn together, grow together.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment