Reputation: 706
I am using proguard-maven-plugin in my multi-module maven project with spring boot. By no means, I am not an expert and still learning how to make use of all features provided with ProGuard, so bear with me. ProGuard dependency:
Final product is a .jar file which is depending on a successfully obfuscated module with core functionalities . After compiling and packaging the product jar with maven, its structure looks like (using jd-gui-1.6.6 to inspect the content of product jar):
|_a(ObfuscatedModule package after obfuscation)
Since the point of obfuscation is to hide the module with core functionalities, I would like to also exclude from the lib directory inside the product jar. After going through the proguard examples, I haven't found the way to do it. Is it possible to exclude or at least obfuscate the core .jar module in /lib
EDIT: I have tried to bypass generating a separate folder with dependencies by using maven-shade-plugin, creating an uber JAR. When used, it adds all the dependencies to the classpath and afterwards ProGuard plugin is used to obfuscate what needs to be obfuscated. Structure of the project looks satisfying, with the dependencies added to classpath and obfuscated correctly. But when I try to run the shaded jar, I keep getting the following error:
Error: Could not find or load main class
The Main class is found in the jar and I know it's not related to the initial issue, but I have resorted to every possible solution found on SO and internet - no luck.
Upvotes: 2
Views: 1472
Reputation: 382
Firstly, I added a of "provided" (link to docs) to the dependencies I wanted out of the lib folder
This is not a solution because by default, both the repackage and the run goals will include any provided dependencies that are defined in the project. A Spring Boot project should consider provided dependencies as container dependencies that are required to run the application.
To exclude libraries from the output jar, excludeGroupIds works as expected. For example,
Be careful, however, because it seems that it is necessary to specify the id of the execution otherwise the packages you want to remove will still be present in the output jar. This is because the plugin spring-boot-maven-plugin is executed 2 times. One time with the repackage id and one time with the default id (in which there are no declared filters).
[INFO] --- spring-boot-maven-plugin:2.3.1.RELEASE:repackage (repackage) @ <app name> ---
[INFO] Replacing main artifact with repackaged archive
[INFO] --- spring-boot-maven-plugin:2.3.1.RELEASE:repackage (default) @ <app name> ---
[INFO] Replacing main artifact with repackaged archive
Upvotes: 0
Reputation: 706
So, after a bit of struggle, I found a solution to my issue. Firstly, I added a <scope/>
of "provided" (link to docs) to the dependencies I wanted out of the lib
folder :
Afterwards, I ran mvn clean install
and inspected the output .jar, but the dependencies were still found in the lib
folder. Missing piece was adding <excludeGroupIds>com.myCompany</excludeGroupIds>
in spring-boot-maven-plugin
inside the pom.xml of the module that was being obfuscated:
Reason why modules with groupId = com.myCompany are being excluded is because some of the modules that are being developed are also being obfuscated (hence the same groupId). There is no point in obfuscating code which someone can easily inspect, while also finding those unobfuscated jars in the lib
Upvotes: 2