Obfuscating jars created with the Spring Boot framework
Published on May 9, 2018 by John Brawner
Welcome to the Support Corner, where we’ll occasionally talk about topics that we’re seeing while working with our customers. If you’d like to see more like this, please click the Support Corner Category.
Recently, we’ve worked with a handful of customers who are using the Spring Boot framework. Spring Boot provides a simple way to create Spring-based applications. This blog explains how to protect jars created with the framework.
Spring Boot jars use an embedded class file structure which DashO does not directly recognize. DashO processes the regular class and package hierarchy. However, it does not embed the class files from the BOOT-INF/classes directory when writing the obfuscated jar.
To process the Spring Boot jars, first extract the jar file and provide the extracted BOOT-INF/classes directory as input to DashO. Then run DashO obfuscation, and re-jar the directory with BOOT-INF/classes properly embedded in the jar.
Spring Boot jars also don’t use the usual Main-class entry point. Spring Boot provides a specific entry point (org.springframework.boot.loader.JarLauncher). For Spring Boot jars, you will need to explicitly define the application’s Main method in the DashO Entry Point section, so that at runtime the jar is able to execute properly. This differs from non-Spring Boot jars, where DashO will automatically use the Main-Class Entry Point as defined in the jar manifest.
We’ve created a simple Spring Boot obfuscation project which automates the process of extracting, obfuscating, and recreating the jar file with obfuscated contents.
Download the Spring Boot with DashO Sample.The archive contains an Ant file which:
1. Extracts the contents of the Spring Boot jar
2. Obfuscates the classes within the BOOT-INF/classes directory
3. Copies the obfuscated classes back to the exploded directory
4. Re-creates the jar file (called obfuscated.jar) with the obfuscated class files
5. Cleans any temporary or intermediate files
You will need to set DASHO_HOME to the DashO installation directory for the script to run properly. There is also a DashO config file (.dox) that contains the DashO project settings.
Please note: this is a basic Spring Boot example. In applications with more complexity, there may be additional configurations necessary, such as rename exclusions or additional jars on the DashO classpath. For more details, please see the DashO userguide.
If you have any feedback on this topic, or other topics you would like us to discuss in the Support Corner, please feel free to contact us at firstname.lastname@example.org.