I have a web application using spring annotations extensivley and I have my proguard configuration like the following:
-printmapping out.map
-dontoptimize
-keepdirectories
-renamesourcefileattribute SourceFile
-keepattributes Exceptions,SourceFile,LineNumberTable,*Annotation*
-adaptresourcefilenames **.xsd,**.wsdl,**.xml,**.properties,**.gif,**.jpg,**.png
-adaptresourcefilecontents **.xsd,**.wsdl,**.xml,**.properties,META-INF/MANIFEST.MF
-dontshrink
-keepclassmembernames class * {
java.lang.Class class$(java.lang.String);
java.lang.Class class$(java.lang.String, boolean);
}
-keepclassmembers enum * {
public static **[] values();
public static ** valueOf(java.lang.String);
}
-keepclassmembers class * implements java.io.Serializable {
static final long serialVersionUID;
private static final java.io.ObjectStreamField[] serialPersistentFields;
private void writeObject(java.io.ObjectOutputStream);
private void readObject(java.io.ObjectInputStream);
java.lang.Object writeReplace();
java.lang.Object readResolve();
}
-keep @org.springframework.transaction.annotation.Transactional class *
-keep @org.springframework.stereotype.Service class *
-keep @org.springframework.stereotype.Controller class *
-keep @org.springframework.beans.factory.annotation.Autowired class *
-keep @org.springframework.web.bind.annotation.ResponseBody class *
-keep @org.springframework.web.bind.annotation.RequestMapping class *
-keep @org.springframework.stereotype.Repository class *
-keep @javax.annotation.Resource class *
-keep @javax.persistence.Entity class *
-keep @javax.persistence.Table class *
-keep @javax.persistence.Id class *
-keep @javax.persistence.GeneratedValue class *
-keep @javax.persistence.Column class *
-keep @javax.persistence.Transient class *
-keep @org.springframework.ws.server.endpoint.annotation.Endpoint class *
-keep @org.springframework.ws.server.endpoint.annotation.PayloadRoot class *
-keep @org.springframework.ws.server.endpoint.annotation.ResponsePayload class *
It built fine without warnings whatsoever. But after deploying in tomcat, and opening the page in the browser it waits and waits without any result, What could be the problem?
I found out the problem:
proguard can't treat the annotated classes, methods, fields specially when they are runtime types. If you run proguard even with -keep option for the annotations, it will still mess up with the configuration files, because it can only replace classes, methods, fields in the resources that have full reference to the package i.e. if and only if the class/field is mentioned in the following way: my.package.level.purpose.MyClass/my.package.level.purpose.MyClass.myField.
And coming back to the annotations, a spring web application is full of annotations, so it will be useless or even not obfuscated at all (maybe only the util classes will be obfuscated).
Conlusion:
There is no use of obfuscating modern spring (3.x.x+) web applications with any obfuscators even the commercial ones, because they all work on the byte-code side of the code and will not treat annotations and mess up with the config files.