How to obfuscate a webapp using Maven and ProGuard

Question

I use Maven and the maven-war-plugin to to build my WAR. All JSPs are pre-compiled using the jspc-maven-plugin and all classes are put into a JAR (WEB-INF/lib). So far everything works fine. Now I try to configure the proguard-maven-plugin to obfuscate my code.

First I tried to obfuscate all classes during the compile phase but then I get in trouble pre-compiling the JSPs. I found some examples where the package phase is defined. But in this case I dont know how to address my JAR file, which is alrady packed into the WAR. Finally I tried simply to set my WAR as <injar>mywebapp.war</injar>. But this is also not working. What am I missing?

        <plugin>
            <groupId>com.pyx4me</groupId>
            <artifactId>proguard-maven-plugin</artifactId>
            <version>2.0.4</version>
            <executions>
                <execution>
                    <phase>package</phase>
                    <goals>
                        <goal>proguard</goal>
                    </goals>
                </execution>
            </executions>               
            <configuration>
                <obfuscate>true</obfuscate>
                <includeDependency>false</includeDependency> 
                <injar>${project.artifactId}-v${project.version}.war</injar>
                <outjar>${project.artifactId}-v${project.version}-obf.war</outjar> 
                <outputDirectory>${project.build.directory}</outputDirectory> 
                <maxMemory>256m</maxMemory>
                <libs>
                    <!--  Java Runtime -->
                    <lib>${java.home}/../Classes/classes.jar</lib>
                    <lib>${java.home}/../Classes/jce.jar</lib>
                </libs>                 
                <options>
                    <option>-allowaccessmodification</option>
                    <option>-dontskipnonpubliclibraryclasses</option>
                    <option>-dontskipnonpubliclibraryclassmembers</option>
                </options>
            </configuration>
        </plugin>

Do you have any hints, examples to get this done?

Thanks a lot! David

Answer 1

Take a look at the Maven lifecycles that are available. Specifically the default lifecycle. The problem you may be running into is that Maven can guarantee on some plugins, like the jar and war plugins, but others plugins, like your proguard plugin, it may not.

I think if you changed the execution phase from package to prepare-package, that should get the JSP files obfuscated before they are packaged into the the JAR file and subsequently into the WAR file. And that phase should not interfere with with compilation of any classes you may have.