Maven WEB 项目使用ProGuard进行混淆,最新解决方案

应客户的需要,公司的整套业务项目要做一个私有化部署,所以涉及到要给客户提供源代码(并非真正的)。最后呢也就是给对方提供一个War包,因为版权和商业机密的问题,最后只能我们这边对代码做一下安全处理。

这里已经做出一些解释 就暂且不再阐述关于Java反编译的深入研究

https://www.cnblogs.com/PheonixHkbxoic/p/5759680.html

基于maven使用ProGuard进行混淆,大致分为三个步骤:

  1. 项目pom文件引入ProGuard依赖以及配置
            
			
                com.github.wvengen
                proguard-maven-plugin
                2.0.11
                
                    
                        
                        package
                        
                            
                            proguard
                        
                    
                
                
                    
                    true
                    
                    true
                    
                    pg
                    ${basedir}/proguard.conf
                    
                        ${java.home}/lib/rt.jar
                        ${java.home}/lib/jce.jar
                    
                    
                    classes
                    ${project.build.finalName}-pg.jar
                    
                    ${project.build.directory}
                
            

   pom同级目录下添加proguard.conf文件

# 忽略所有警告,否则有警告的时候混淆会停止
-ignorewarnings

# JDK目标版本1.7
-target 1.7

# 不做收缩(删除注释、未被引用代码)
-dontshrink

# 不做优化(变更代码实现逻辑)
-dontoptimize

# 不路过非公用类文件及成员
-dontskipnonpubliclibraryclasses
-dontskipnonpubliclibraryclassmembers

# 优化时允许访问并修改有修饰符的类和类的成员
-allowaccessmodification

# 确定统一的混淆类的成员名称来增加混淆
-useuniqueclassmembernames

# 不混淆所有包名,本人测试混淆后WEB项目问题实在太多,毕竟Spring配置中有大量固定写法的包名
-keeppackagenames

# 不混淆局部变量名
-keepparameternames

# 不混淆所有特殊的类 LocalVariable*Table,
-keepattributes Exceptions,InnerClasses,Signature,Deprecated,SourceFile,LineNumberTable,*Annotation*,Synthetic,EnclosingMethod

# 不混淆包下的所有类名
-keep class weg.base.** { ; }
-keep class weg.service.** { ; }
-keep class weg.dao.** { ; }
-keep class weg.util.** { ; }

# 不混淆quartz包下的所有类名,且类中的方法也不混淆
-keep class weg.quartz.** { ; }

# 不混淆model包中的所有类以及类的属性及方法,实体包,混淆了会导致ORM框架及前端无法识别
-keep class weg.model.** {*;}

# 不混淆所有的set/get方法,毕竟项目中使用的部分第三方框架(例如Shiro)会用到大量的set/get映射
-keepclassmembers public class * {void set*(***);*** get*();}

# 保持类protected不被混淆
-keep public class * { public protected ;public protected ; }

2.maven package过程

maven打包过程是一个很崩溃的环节,尤其项目初期代码没有考虑优化 项目臃肿的话,就是一个漫长的过程

D:\PC_gomeet\*****>mvn package
[WARNING]
[WARNING] Some problems were encountered while building the effective settings
[WARNING] expected START_TAG or END_TAG not TEXT (position: TEXT seen ...\n\t\n\ua0\ua0\ua0\ua0\ua0\ua0\ua0  version ${poi.version} vs 3.9 @ line 502, column 15
[WARNING] 'build.plugins.plugin.version' for org.apache.tomcat.maven:tomcat7-maven-plugin is missing. @ line 734, column 12
[WARNING]
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]
[INFO]
[INFO] -----------------------< com.rionsoft:****** >------------------------
[INFO] Building **** 1.0.1-SNAPSHOT
[INFO] --------------------------------[ war ]---------------------------------
[WARNING] The POM for opensymphony:quartz-all:jar:1.6.1 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details
[WARNING] The artifact javax.xml:jaxrpc:jar:1.1 has been relocated to javax.xml:jaxrpc-api:jar:1.1
[WARNING] The artifact xerces:xerces:jar:2.4.0 has been relocated to xerces:xercesImpl:jar:2.4.0
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ **** ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 1032 resources
[INFO] Copying 95 resources
[INFO]
[INFO] --- maven-compiler-plugin:3.0:compile (default-compile) @ **** ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 1032 source files to D:\PC_gomeet\****\target\classes
[WARNING] /D:/PC_gomeet/****/src/main/java/com/rionsoft/utils/tools/MyUtils.java:[603,11] catch 子句无法访问
  已捕获到抛出的类型java.io.FileNotFoundException
[WARNING] /D:/PC_gomeet/****/src/main/java/com/rionsoft/gomeet/api/wechat/mp/api/WxHttpClient.java: 某些输入文件使用或覆盖了已过时的 API。
[WARNING] /D:/PC_gomeet/****/src/main/java/com/rionsoft/gomeet/api/wechat/mp/api/WxHttpClient.java: 有关详细信息, 请使用 -Xlint:deprecation 重新编译。
[WARNING] /D:/PC_gomeet/****/src/main/java/com/rionsoft/gomeet/api/worker/biz/impl/WorkerBizImpl.java: 某些输入文件使用了未经检查或不安全的操作。
[WARNING] /D:/PC_gomeet/****/src/main/java/com/rionsoft/gomeet/api/worker/biz/impl/WorkerBizImpl.java: 有关详细信息, 请使用 -Xlint:unchecked 重新编译。
[INFO]
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ ****---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory D:\PC_gomeet\gomeetpc\src\test\resources
[INFO]
[INFO] --- maven-compiler-plugin:3.0:testCompile (default-testCompile) @ ****---
[INFO] Changes detected - recompiling the module!
[INFO]
[INFO] --- maven-surefire-plugin:2.10:test (default-test) @ ****---
[INFO] Tests are skipped.
[INFO]
[INFO] --- maven-war-plugin:2.2:war (default-war) @ *****---
[INFO] Packaging webapp
[INFO] Assembling webapp [****] in [D:\PC_gomeet\****\target\****-1.0.1-SNAPSHOT]
[INFO] Processing war project
[INFO] Copying webapp resources [D:\PC_gomeet\****\src\main\webapp]
[INFO] Webapp assembled in [65154 msecs]
[INFO] Building war: D:\PC_gomeet\****\target\****-1.0.1-SNAPSHOT.war
[INFO] WEB-INF\web.xml already added, skipping
[INFO]
[INFO] --- maven-dependency-plugin:2.8:copy (copy) @ gomeetpc ---
[INFO] Configured Artifact: com.rionsoft:*****:1.0.1-SNAPSHOT:war
[INFO] Copying gomeetpc-1.0.1-SNAPSHOT.war to D:\PC_gomeet\release\war\com.rionsoft.gomeetpc.war
[INFO]
[INFO] --- maven-resources-plugin:2.6:copy-resources (copy-resources) @ ****---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 9 resources
[INFO] skip non existing resourceDirectory D:\PC_gomeet\****\src\main\resources\profile\${jdbc.environment}
[INFO]
[INFO] --- proguard-maven-plugin:2.0.11:proguard (default) @ *****---
 [proguard] Preparing output jar [D:\PC_gomeet\gomeetpc\target\classes-pg.jar]
 [proguard]   Copying resources from program directory [D:\PC_gomeet\****\target\classes] (filtered)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 02:30 min
[INFO] Finished at: 2018-12-04T10:21:39+08:00
[INFO] ------------------------------------------------------------------------

 项目打包成功的话,文件目录如下:

Maven WEB 项目使用ProGuard进行混淆,最新解决方案_第1张图片

  • classes-pg.jar 混淆后的classes文件,里面包含完整的项目结构
  • proguard_map.txt 混淆内容的映射
  • proguard_seed.txt 参与混淆的类

3.反编译 代码运行测试

工具:

Java反编译器JD 

Java反编译器luyten(卢伊藤)https://github.com/deathmarine/Luyten

Java反编译器jadx https://github.com/skylot/jadx

结果:

åç¼è¯

 Maven WEB 项目使用ProGuard进行混淆,最新解决方案_第2张图片

终于告一段落了

总结呢 鉴于之前根本没接触过代码混淆,过程虽然繁琐,但是也有很多收获 总之呢不要害怕要敢于去尝试

你可能感兴趣的:(Java,maven,ProGuard)