使用Proguard对FAT JAR包进行代码混淆

1. 解压jar到目标目录

jar xvf original.jar

original.jar为FAT Jar。假设解压目录为 D:/proguard/original

• toman-service-1.0.jar
• classes

2. 配置混淆文件

建议下载ProGuard通过GUI进行配置文件设置，设置完毕后通过Save configuration…保存配置文件。配置文件保存到D:/proguard/config/proguard-for-jar

为了更好的使用ProGuard，或者一开始就知道代码需要进行混淆的情况下，最好将@Component，@Controller，@Service，@RestController，@Repository，@Resource等注解都加上名字。

在我们的系统里DAO，API，常量等相关JAR包时没有进行混淆的。各系统可以根据自己的实际情况决定对哪进行混淆。

配置文件示例：

# 带混淆JAR以及对应输出jar
-injars original\toman-service-1.0.jar
-outjars target\toman-service-pro-1.0.jar
-injars classes(**.class)
-outjars target\classes-pro.jar

# jdk jars
-libraryjars 'C:\Program Files\Java\jre1.8.0_191\lib\rt.jar'
-libraryjars 'C:\Program Files\Java\jre1.8.0_191\lib\jce.jar'

# third-part jar
-libraryjars lib\ajdv-0.1.jar
-libraryjars lib\annotations-3.0.0.jar
-libraryjars lib\ant-1.8.0.jar
-libraryjars lib\ant-launcher-1.8.0.jar
-libraryjars lib\aspectjweaver-1.8.13.jar
-libraryjars lib\btf-1.2.jar
-libraryjars lib\c3p0-0.9.5.2.jar
# 应用中无需混淆JAR
-libraryjars lib\toman-api-1.0.0-SNAPSHOT.jar

-dontshrink
-dontoptimize
# 定义输出mapping文件
-printmapping toman-mapping
# 混淆后类名不区分大小写（windows下不区分大小写）
-dontusemixedcaseclassnames
# 不做混淆的包名
-keeppackagenames com.toman.product
# 以下属性不做混淆
-keepattributes Exceptions,InnerClasses,Signature,Deprecated,SourceFile,LineNumberTable,*Annotation*,Synthetic,EnclosingMethod
-dontpreverify
# 忽略警告信息
-ignorewarnings

# 保留@Configuration注解的类的方法名
# keep classes and class members,  @Configuration, com.toman.product.**, <methods>
-keep @org.springframework.context.annotation.Configuration class com.toman.product.** {
    <methods>;
}

# 保留所有@Component注解的类的@Resource注解的字段以及@Pointcut注解的方法
# keep class members only, @Component, com.toman.product.**, <fields>
-keepclassmembers @org.springframework.stereotype.Component class com.toman.product.** {
    @javax.annotation.Resource
    <fields>;
    @org.aspectj.lang.annotation.Pointcut
    <methods>;
}

# 保留@RestController注解的类的@Resource注解的字段
# keep class members only, @RestController, com.toman.product.**, <fields>
-keepclassmembers @org.springframework.web.bind.annotation.RestController class com.toman.product.** {
    @javax.annotation.Resource
    <fields>;
}

# 保留@Service注解的类的@Resource注解的字段
# keep class members only, @Service, com.toman.product.**, <fields>
-keepclassmembers @org.springframework.stereotype.Service class com.toman.product.** {
    @javax.annotation.Resource
    <fields>;
}

# 保留@Controller注解的类的@Resource注解的字段
# keep class members only, @Controller, com.toman.product.**, <fields>
-keepclassmembers @org.springframework.stereotype.Controller class com.toman.product.** {
    @javax.annotation.Resource
    <fields>;
}

# 保留@ConfigurationProperties注解的类的字段名和方法名
# keep class members only, @ConfigurationProperties, com.toman.product.**, <fields><methods>
-keepclassmembers @org.springframework.boot.context.properties.ConfigurationProperties class com.toman.product.** {
    <fields>;
    <methods>;
}

# 保留所有领域对象的字段名和方法名
-keepclassmembers class com.toman.product.core.domain.** {
    <fields>;
    <methods>;
}

# 以下为ProGuard自带配置
# Keep - Applications. Keep all application classes, along with their 'main' methods.
-keepclasseswithmembers public class * {
    public static void main(java.lang.String[]);
}

# 以下部分为节省空间已删除
# enumeration classes.
# Also keep - Database drivers. Keep all implementations of java.sql.Driver.
# Also keep - Swing UI L&F. Keep all extensions of javax.swing.plaf.ComponentUI,
# along with the special 'createUI' method.
# Keep - Native method names. Keep all native class/method names.
# Remove - System method calls. Remove all invocations of System
# methods without side effects whose return values are not used.
# Remove - Math method calls. Remove all invocations of Math
# methods without side effects whose return values are not used.
# Remove - Number method calls. Remove all invocations of Number
# methods without side effects whose return values are not used.
# Remove - String method calls. Remove all invocations of String
# methods without side effects whose return values are not used.
# Remove - StringBuffer method calls. Remove all invocations of StringBuffer
# methods without side effects whose return values are not used.
# Remove - StringBuilder method calls. Remove all invocations of StringBuilder
# methods without side effects whose return values are not used.

3. 通过命令行执行代码混淆

%PROGUARD_HOME%\bin\proguard.bat -include D:/proguard/config/proguard-for-ja -basedirectory D:/proguard

混淆后的代码存储到D:/proguard/target。但是混淆后生成的jar包并不能直接使用，需要重新进行打包。

• toman-service-pro-1.0.jar
• classes-pro.jar

4. 对混淆后的jar包重新打包

对混淆后的JAR包解压

jar xvf toman-service-pro-1.0.jar
jar xvf classes-pro.jar

将解压后的class文件重新打包成JAR

jar -cvfM0 toman-service-1.0.jar ../toman-service-pro-1.0
jar -cvfM0 classes.jar ../classes-pro

5. 将重新打包的JAR再次打包成FAT Jar

jar -cvfM0 target.jar .

参考

使用proguard进行javaweb代码混淆