3

I have a web application using spring annotations extensivley and I have my proguard configuration like the following:

-printmapping out.map

-dontoptimize

-keepdirectories

-renamesourcefileattribute SourceFile

-keepattributes Exceptions,SourceFile,LineNumberTable,*Annotation*

-adaptresourcefilenames    **.xsd,**.wsdl,**.xml,**.properties,**.gif,**.jpg,**.png
-adaptresourcefilecontents **.xsd,**.wsdl,**.xml,**.properties,META-INF/MANIFEST.MF 

-dontshrink

-keepclassmembernames class * {
    java.lang.Class class$(java.lang.String); 
    java.lang.Class class$(java.lang.String, boolean);
}

-keepclassmembers enum * {
    public static **[] values(); 
    public static ** valueOf(java.lang.String);
}

-keepclassmembers class * implements java.io.Serializable { 
    static final long serialVersionUID; 
    private static final java.io.ObjectStreamField[] serialPersistentFields; 
    private void writeObject(java.io.ObjectOutputStream); 
    private void readObject(java.io.ObjectInputStream); 
    java.lang.Object writeReplace(); 
    java.lang.Object readResolve();
}

-keep @org.springframework.transaction.annotation.Transactional class *

-keep @org.springframework.stereotype.Service class *

-keep @org.springframework.stereotype.Controller class *

-keep @org.springframework.beans.factory.annotation.Autowired class *

-keep @org.springframework.web.bind.annotation.ResponseBody class *

-keep @org.springframework.web.bind.annotation.RequestMapping class *

-keep @org.springframework.stereotype.Repository class *

-keep @javax.annotation.Resource class *

-keep @javax.persistence.Entity class *

-keep @javax.persistence.Table class *

-keep @javax.persistence.Id class *

-keep @javax.persistence.GeneratedValue class *

-keep @javax.persistence.Column class *

-keep @javax.persistence.Transient class *

-keep @org.springframework.ws.server.endpoint.annotation.Endpoint class *

-keep @org.springframework.ws.server.endpoint.annotation.PayloadRoot class *

-keep @org.springframework.ws.server.endpoint.annotation.ResponsePayload class *

It built fine without warnings whatsoever. But after deploying in tomcat, and opening the page in the browser it waits and waits without any result, What could be the problem?

GingerHead
  • 8,130
  • 15
  • 59
  • 93
  • 2
    Can you make a thread-dump using `jstack` or `JVisualVM` during waiting? Also, maybe the browser silently logs some errors? – Tomasz Nurkiewicz Jan 23 '12 at 10:59
  • 2
    If you're running on unix/linux you can do a thread dump by issuing `killall -QUIT java`. The thread dump will appear in `catalina.out`. – Jonathan Jan 23 '12 at 12:15
  • 2
    Do you have .class files under WEB-INF/...? Last time I spoke with Proguard's developer on the forums, Proguard could not handle, inside a .war file, unpacked .class files in WEB-INF (under com/yourcompany/yourpackage): it could handle properly only .jar files – Unai Vivi Jan 23 '12 at 14:48
  • 2
    Schowing your tomcat logs would help to diagnose problem – Konstantin Pribluda Jan 25 '12 at 09:17
  • 2
    @Harout: this is not 100% correct, there was the same answer like for that question: we need more information: log, dump or what ever! At the moment this question is a bit like: "something does not work, please help." – Ralph Jan 25 '12 at 10:37
  • 2
    If you have no log or anything, that use a debugger with an breakpoint early in the request handling, and walk through the program until you find something strange. – Ralph Jan 25 '12 at 10:40
  • 1
    I have logs but nothing error into it, I thing proguard is messing up a lot, so that the application can't initialize in tomcat – GingerHead Jan 25 '12 at 11:28
  • 1
    I am using a jar to obfuscate and putting in it the needed prop files,. – GingerHead Jan 25 '12 at 11:29

2 Answers2

9

I found out the problem:
proguard can't treat the annotated classes, methods, fields specially when they are runtime types. If you run proguard even with -keep option for the annotations, it will still mess up with the configuration files, because it can only replace classes, methods, fields in the resources that have full reference to the package i.e. if and only if the class/field is mentioned in the following way: my.package.level.purpose.MyClass/my.package.level.purpose.MyClass.myField.
And coming back to the annotations, a spring web application is full of annotations, so it will be useless or even not obfuscated at all (maybe only the util classes will be obfuscated).
Conlusion:
There is no use of obfuscating modern spring (3.x.x+) web applications with any obfuscators even the commercial ones, because they all work on the byte-code side of the code and will not treat annotations and mess up with the config files.

GingerHead
  • 8,130
  • 15
  • 59
  • 93
  • 4
    i'm kinda stuck in a similar situation , facing a situation where spring confusing the annotated implementation name with it's interface.. probably the obfuscation screws up the annotations ..it's a realy technicaly challenging situation of embarassement towards my boss , who insists of obfuscation . – Genjuro Apr 27 '12 at 10:45
  • 1
    You need to come up with new technology! – GingerHead Jul 04 '12 at 13:16
  • 1
    @FrozenFlame so what did you do? – GingerHead May 23 '13 at 22:17
  • 2
    if i remember well i used -dontoptimize – Genjuro May 24 '13 at 08:26
2

You need to check the server log files to see what is going on. If there is nothing obviously wrong, changing the logging level to DEBUG will give you lots more information about what Spring is doing.

FWIW, I'd expect a Spring-based application to give you lots of problems if your try to obfuscate it. Spring's DI and annotation processing are likely to be broken by the transformations that a obfuscator performs on the class files. For instance, any place where an annotation refers to the name of another class or method will break if the obfuscator replaces the class / method name.

My advice would be to give up obfuscation as a bad idea.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • 2
    The obfuscator is probably messing things up so badly that the logging system doesn't initialize. – Stephen C Jan 24 '12 at 05:59
  • 1
    Ye that's what I think the log4j is dying under its process so badly! but starnge because it must work according what I read from others that used proguard with spring! strange indeed! – GingerHead Jan 24 '12 at 16:19
  • 3
    @Harout - I refer you to the last sentence of my answer :-). Seriously, obfuscation doesn't give you any real protection against someone reverse engineering your code. In the long term, all it gives you (and your honest paying customers) is pain. – Stephen C Jan 25 '12 at 01:39
  • 1
    @GingerHead can you post the solution that you found please ! – Abdelghani Roussi Jan 05 '16 at 18:14
  • 1
    @AbelRoussi look at this http://stackoverflow.com/questions/9129689/is-there-any-eclipse-refactoring-api-that-i-can-call-programmatically/9585503#9585503 – GingerHead Apr 27 '16 at 07:37