How to setup proguard obfuscation with spring boot 2 and gradle build?
Hello. Trying to setup code obfuscation of Spring Boot app with its gradle plugin and Proguard gradle plugin. Google mostly gives some approaches for older spring-boot-gradle-plugin version (i.e. this closest one using non-existing bootRepackage task), or using maven plugin (having repackage goal).
Idea is to obfuscate classes before jar packaging, as I understand, but I don't see any entry points in current gradle plugin version, and would like to avoid manual extraction and zipping back.
Is anyone using that combo at all? Spring Boot version >=2.0.3.
I think that today is not possible and you have to do it with manual extraction and zipping back.
An example of manual extraction and zipping back which could be helpful:
build.gradle
version = '0.1.0'
buildscript {
dependencies {
classpath 'net.sf.proguard:proguard-gradle:6.0.3'
classpath 'net.sf.proguard:proguard-base:6.0.3'
}
}
apply plugin: 'java'
apply plugin: 'org.springframework.boot'
apply plugin: 'io.spring.dependency-management'
task extractJar(type: Copy) {
def zipFile = file("${buildDir}/libs/your_project_name-${version}.jar")
def outputDir = file("${buildDir}/unpacked/")
from zipTree(zipFile)
into outputDir
}
task proguard(type: proguard.gradle.ProGuardTask) {
doFirst {
tasks.extractJar.execute();
}
configuration 'proguard.conf'
injars "${buildDir}/unpacked/BOOT-INF/classes"
outjars "${buildDir}/obfClasses"
libraryjars "${System.getProperty('java.home')}/lib/rt.jar"
libraryjars "${buildDir}/unpacked/BOOT-INF/lib"
doLast {
tasks.deleteClasses.execute();
}
}
task deleteClasses(type: Delete) {
delete "${buildDir}/unpacked/BOOT-INF/classes/"
doLast {
tasks.copyObfuscatedClasses.execute()
}
}
task copyObfuscatedClasses(type: Copy) {
from "${buildDir}/obfClasses"
into "${buildDir}/unpacked/BOOT-INF/classes/"
include 'com/**'
include '*.properties'
doLast {
tasks.copyObfuscatedJars.execute()
}
}
task copyObfuscatedJars(type: Copy) {
from "${buildDir}/obfClasses"
into "${buildDir}/unpacked/BOOT-INF/lib/"
include '*.jar'
doLast {
tasks.deleteObfuscated.execute()
}
}
task deleteObfuscated(type: Delete) {
delete 'build/obfClasses'
doLast {
tasks.repackage.execute()
}
}
task repackage(type: Zip) {
from "${buildDir}/unpacked"
entryCompression ZipEntryCompression.STORED
archiveName "your_project_name-${version}-obf.jar"
destinationDir(file("${buildDir}/libs"))
}
proguard.conf
-ignorewarnings
-keepdirectories
-keep interface com.your_package.** { *; }
-keep class com.your_package.main{ *; }
-keep class com.your_package.model.** { *; }
-keepparameternames
-keepclassmembers #org.springframework.** class * {
*;
}
-keepclassmembers #org.springframework.** interface * {
*;
}
-keepclassmembers enum * {
public static **[] values();
public static ** valueOf(java.lang.String);
}
-keep #org.springframework.** class *
-keepclassmembers #javax.** class * { *; }
-dontwarn org.springframework.**
-dontwarn javax.**
-dontwarn org.yaml.snakeyaml.**
-dontwarn okhttp3.**
have you tried writing a task for it in your build.gradle?
task obfuscate(type: proguard.gradle.ProGuardTask, dependsOn: jar) {
mustRunAfter ('javadoc')
inputs.file file("${jar.archivePath}")
outputs.file file("$buildDir/proguard/${project.name}-${project.version}.jar")
injars "${jar.archivePath}"
// JDK 8 and below use jars on the classpath
if (JavaVersion.current().java8Compatible && !JavaVersion.current().java9Compatible) {
println "Obfuscation inputs based on JDK 8 layout."
libraryjars "$javaHome/lib/rt.jar"
libraryjars "$javaHome/lib/jce.jar"
libraryjars "$javaHome/lib/ext/jfxrt.jar"
} else {
// JDK 9 and above use modules on the module-path
println "Obfuscation inputs based on JDK 9+ module layout."
def jdkModuleList = [
'java.base', 'java.datatransfer', 'java.desktop',
'java.instrument', 'java.logging',
'java.management', 'java.prefs', 'java.rmi',
'java.scripting', 'java.xml',
'jdk.attach'
]
jdkModuleList.forEach {
libraryjars "$javaHome/jmods/${it}.jmod", jarfilter: '!**.jar', filter: '!module-info.class'
}
target '10' // JDK 9 is obsolete, would target 11, but Proguard can't deal with 11's class files yet
}
// dependencies
configurations.runtime.files.each {
libraryjars it, filter: '!META-INF/versions/**'
}
outjars "$buildDir/proguard/${project.name}-${project.version}.jar"
printseeds "$buildDir/proguard/proguard_seeds.txt"
printmapping "$buildDir/proguard/proguard_map.txt"
configuration 'src/main/proguard/configuration.pro'
}
this thread might be helpful with your situation:
https://discuss.gradle.org/t/obfuscated-jars-what-are-the-best-practices/18834/6
Related
I tried to copy the Spring Boot Kotlin sample project https://github.com/JetBrains/kotlin-examples/tree/master/tutorials/spring-boot-restful. I Added some more dependencies and when I tried to build the executable jar and run it, I got the error:
Could not find or load main class...
Gradle build script:
buildscript {
ext.kotlin_version = '1.1.3' // Required for Kotlin integration
ext.spring_boot_version = '1.5.4.RELEASE'
repositories {
jcenter()
}
dependencies {
classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version" // Required for Kotlin integration
classpath "org.jetbrains.kotlin:kotlin-allopen:$kotlin_version" // See https://kotlinlang.org/docs/reference/compiler-plugins.html#kotlin-spring-compiler-plugin
classpath "org.springframework.boot:spring-boot-gradle-plugin:$spring_boot_version"
}
}
/*plugins {
id 'org.springframework.boot' version '2.0.0.RELEASE'
}*/
apply plugin: 'kotlin' // Required for Kotlin integration
apply plugin: "kotlin-spring" // See https://kotlinlang.org/docs/reference/compiler-plugins.html#kotlin-spring-compiler-plugin
apply plugin: 'org.springframework.boot'
jar {
baseName = 'gs-rest-service'
version = '0.1.0'
from {
(configurations.runtime).collect {
it.isDirectory() ? it : zipTree(it)
}
}
manifest {
attributes 'Main-Class': 'org.jetbrains.kotlin.demo.Applicationkt'
}
}
sourceSets {
main.java.srcDirs += 'src/main/kotlin/'
test.java.srcDirs += 'src/test/kotlin/'
}
repositories {
jcenter()
}
dependencies {
compile "org.jetbrains.kotlin:kotlin-stdlib:$kotlin_version" // Required for Kotlin integration
compile("org.springframework.boot:spring-boot-starter-web")
compile group: 'org.apache.camel', name: 'camel-quartz2', version: '2.20.2'
compile group: 'org.apache.camel', name: 'camel-http4', version: '2.20.2'
compile group: 'org.apache.camel', name: 'camel-docker', version: '2.20.2'
compile group: 'org.apache.camel', name: 'camel-aws', version: '2.20.2'
testCompile('org.springframework.boot:spring-boot-starter-test')
}
Change Applicationkt to ApplicationKt will work, and BTW you may upgrade Kotlin version to 1.3.50.
By Applicationkt I mean the one in this line:
attributes 'Main-Class': 'org.jetbrains.kotlin.demo.Applicationkt'
Kotlin compiles the Application file in two different files:
one file called Application.class with the Springboot things
another file called ApplicationKt.class with the main method
In this second file is where the main function is located at, so you have to use this name in the build.gradle file.
mainClassName = 'org.jetbrains.kotlin.demo.ApplicationKt'
Update your build.gradle to
jar {
manifest {
attributes 'Main-Class': 'org.jetbrains.kotlin.demo.ApplicationKt'
}
from {
configurations.compile.collect { it.isDirectory() ? it : zipTree(it) }
}
}
with an upper case K in ApplicationKt.
This is required because of the way Kotlin compiles to Java Bytecode. The fun main() function in Kotlin is not attached to any class, but Java always requires a class and does not support classless functions.
The Kotlin compiler has to create a Java class. Because you already defined a class Application it created one with the suffix Kt for the functions in your Kotlin file org/jetbrains/kotlin/demo/Application.kt. You have to set this class so that the JVM can find it.
BTW a Jar file is just a Zip file, you can unpack it and see for yourself if the ApplicationKt.class is there.
For me the main function needed to be outside the class body
#SpringBootApplication
#Configuration
class Application
(private val locationRepository: LocationRepository,
) : CommandLineRunner {
override fun run(vararg args: String?) {
whatever()
}
}
fun main(args: Array<String>) {
runApplication<Application>(*args)
}
Indeed, Kotlin create file ApplicationKt.class in the jar if your main class file is named Application.kt. You have to add the following lines:
apply plugin: 'kotlin'
apply plugin: 'application'
mainClassName = 'org.jetbrains.kotlin.demo.ApplicationKt'
If you use the classic jar plugin, you can do as below (which is described in previous responses):
jar {
manifest {
attributes 'Main-Class': 'org.jetbrains.kotlin.demo.ApplicationKt'
}
from {
configurations.compile.collect { it.isDirectory() ? it : zipTree(it) }
}
}
However, my preference is to use bootJar plugin which is much clear and which allow me to use layered jars for example:
bootJar {
layered() // Not useful if you don't want to use layered jars
}
I have the following gradle build config:
plugins {
id 'com.github.johnrengelman.shadow' version '1.2.3'
}
group 'abc'
version '1.0-SNAPSHOT'
apply plugin: 'java'
apply plugin: 'application'
mainClassName = "abc.Driver"
repositories {
mavenCentral()
}
dependencies {
compile (group: 'org.apache.hadoop', name: 'hadoop-client', version: '2.6.0')
}
sourceSets {
main {
java {
srcDir './src'
}
}
}
jar {
manifest {
attributes(
'Class-Path': configurations.compile.collect { it.getName() }.join(' '),
'Main-Class': mainClassName
)
}
}
task fatJar(type: Jar) {
manifest {
attributes 'Implementation-Title': 'Gradle Jar File Example',
'Implementation-Version': version,
'Main-Class': mainClassName
}
baseName = project.name + '-all'
from { (configurations.compile - configurations.provided).collect
{
//println it.getName()
it.isDirectory() ? it : zipTree(it)
}
}
{
exclude "META-INF/*.SF"
exclude "META-INF/*.DSA"
exclude "META-INF/*.RSA"
}
with jar
}
The main method that I have is just the following piece of code:
public static void main(String[] args) {
Iterable<ClientProtocolProvider> frameworkLoader =
ServiceLoader.load(ClientProtocolProvider.class);
for(ClientProtocolProvider cpp: frameworkLoader) {
System.out.println(cpp.toString());
}
}
When I run the main method from IDE as expected I get the following output:
org.apache.hadoop.mapred.YarnClientProtocolProvider#4783da3f
org.apache.hadoop.mapred.LocalClientProtocolProvider#300ffa5d
But when I run the gradle fat jar task and I create the fat jar, after running the main method using (java -jar) through terminal I just get:
org.apache.hadoop.mapred.LocalClientProtocolProvider#7f31245a
I found that when fat jar is created, the entries under META-INF/services are merged for all dependencies and hence I lose the declaration for YarnClientProtocolProvider which I need further in my code.
YarnClientProtocolProvider is declared in hadoop-mapreduce-client-jobclient.jar
LocalClientProtocolProvider is declared in hadoop-mapreduce-client-common.jar
Does any body know how to create a fat jar which does not merges entries under META-INF/services?!
This should do the work
shadowJar {
mergeServiceFiles()
}
I'm trying to compile (with gradle) and execute (with the java 1.8 runtime) a small groovy program (see helloWorld.groovy, below).
But when I try to invoke it, I get Error: Could not find or load main class helloWorld
What am I missing?
compile:
lexu> gradle clean jar
:clean
:compileJava UP-TO-DATE
:compileGroovy UP-TO-DATE
:processResources UP-TO-DATE
:classes UP-TO-DATE
:jar
BUILD SUCCESSFUL
Total time: 0.555 secs
execute:
lexu> java -jar ./build/libs/helloWorld.jar
Error: Could not find or load main class helloWorld
helloWorld.groovy:
class helloWorld {
static void main(String[] args) {
println('Hello World');
}
}
build.gradle:
apply plugin: 'groovy'
apply plugin: 'application'
mainClassName = "helloWorld"
archivesBaseName = 'helloWorld';
configurations {provided; inlib;}
repositories {mavenCentral()}
dependencies {compile 'org.codehaus.groovy:groovy-all:2.4.7'}
jar {
manifest {
attributes(
'Class-Path': configurations.compile.collect { it.getName() }.join(' '),
'Main-Class': 'helloWorld'
)
}
}
There are a couple of issues with your setup.
Not breaking, but worth mentioning here: Convention states your filenames and classes should be uppercase: HelloWorld.groovy
gradle assumes your source files to be under src/main/java or in this case, src/main/groovy. You can configure it according to your preferences with gradle groovy plugin - project layout:
sourceSets {
main {
groovy {
srcDirs = ['src/groovy']
}
}
}
You need to include all runtime dependencies for groovy in your jar-archive. For this, let's use use an extended task called uberjar.
build.gradle:
apply plugin: 'groovy'
apply plugin: 'application'
mainClassName = "HelloWorld"
archivesBaseName = 'HelloWorld';
configurations {provided; inlib;}
repositories {mavenCentral()}
dependencies {compile 'org.codehaus.groovy:groovy-all:2.4.7'}
task uberjar(type: Jar,dependsOn:[':compileJava',':compileGroovy']) {
from files(sourceSets.main.output.classesDir)
from configurations.runtime.asFileTree.files.collect { zipTree(it) }
manifest {
attributes 'Main-Class': mainClassName
}
}
HelloWorld.groovy:
class HelloWorld {
static void main(String[] args) {
println('Hello World');
}
}
I have a project that has two gradle files: build.gradle and myPlugin.gradle
The myPlugin.gradle implemented the Plugin Interface. The plugin also has a dependency on osdetector-gradle-plugin
I added the two gradle files beside each other then I tried to apply myPlugin into build.gradle as follows:
apply from: 'myPlugin.gradle'
However, I have got the following error in myPlugin.gradle file:
Plugin with id 'com.google.osdetector' not found
Here is the code for myPlugin.gradle file:
apply plugin: 'groovy'
apply plugin: 'maven'
repositories {
mavenCentral()
mavenLocal()
}
dependencies {
compile 'com.google.gradle:osdetector-gradle-plugin:1.4.0'
}
import org.gradle.api.tasks.TaskAction
import org.gradle.api.DefaultTask
import org.gradle.api.Plugin
import org.gradle.api.Project
apply plugin: 'com.google.osdetector'
apply plugin: HostingMachineOSPlugin
class HostingMachineOSPlugin implements Plugin<Project>{
void apply(Project project){
project.plugins.apply("com.google.osdetector");
//project.configurations.files('com.google.osdetector')
println project.osdetector.os
/* Extend the project property to have the class HostingMachineOS */
project.ext.HostingMachineOS = HostingMachineOS
}
}
public class HostingMachineOS {
static family = "Unkown"
static def setFamilyName(name){
family = name
}
static def isLinux (){
family == "linux"
}
static def isWindows (){
family == "windows"
}
static def isMacOS(){
family == "osx"
}
}
HostingMachineOS.setFamilyName(osdetector.os)
in build.gradle file: I am just doing something like this:
//define buildScript repositories and dependencies then
apply from: 'myPlugin.gradle'
task dummy{
println HostingMachineOS.isMacOS()
println HostingMachineOS.isLinux()
println HostingMachineOS.isWindows()
}
How can I solve the Plugin with id 'com.google.osdetector' not found?
This is a common pitfall, to add a plugin to build.gradle file you need to add a dependency for the build script itself - not for the project. The following piece of code (added in the file where you apply the plugin) should solve the problem:
buildscript {
repositories {
mavenCentral()
mavenLocal()
}
dependencies {
classpath 'com.google.gradle:osdetector-gradle-plugin:1.4.0'
}
}
EDIT
Please have a look here - it seems that if you need to apply from third-party script you need to use the full class name (with package). So the files should be defined as follows:
build.gradle
apply from: 'myPlugin.gradle'
task dummy{
println HostingMachineOS.isMacOS()
println HostingMachineOS.isLinux()
println HostingMachineOS.isWindows()
}
myPlugin.gradle
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'com.google.gradle:osdetector-gradle-plugin:1.4.0'
}
}
apply plugin: 'groovy'
apply plugin: 'maven'
apply plugin: com.google.gradle.osdetector.OsDetectorPlugin
apply plugin: HostingMachineOSPlugin
class HostingMachineOSPlugin implements Plugin<Project>{
void apply(Project project){
project.plugins.apply(com.google.gradle.osdetector.OsDetectorPlugin);
//project.configurations.files('com.google.osdetector')
println project.osdetector.os
/* Extend the project property to have the class HostingMachineOS */
project.ext.HostingMachineOS = HostingMachineOS
}
}
public class HostingMachineOS {
static family = "Unkown"
static def setFamilyName(name){
family = name
}
static def isLinux (){
family == "linux"
}
static def isWindows (){
family == "windows"
}
static def isMacOS(){
family == "osx"
}
}
HostingMachineOS.setFamilyName(osdetector.os)
i can't see buildSrc on the buildscript classpath in gradle; i can access it...but it somehow isn't there
i expected that it's there...because the buildscript can use those classes
build.gradle:
apply plugin: 'java'
buildscript{
dependencies{
classpath gradleApi()
}
}
task show(){
A.asd()
buildscript.configurations.classpath.each { println it }
}
contents of: buildSrc/src/main/java/A.java
public class A{
public static void asd(){
System.out.println(A.class + " is invokable from"+A.class.getProtectionDomain().getCodeSource().getLocation().getPath());
}
}
output:
:buildSrc:clean
...
:buildSrc:build
class A is invokable from/home/kirk/projects/bt/ews/tx3/buildSrc/build/classes/main/
/home/kirk/tools/gradle-1.11/lib/gradle-core-1.11.jar
...other nonrelated jars/etc
:show
buildscript { dependencies { classpath ... } } is the way to explicitly add build script dependencies. The buildSrc output directory is added implicitly.