|
Sponsored Links
Resources
Enterprise Java
Research Library
Get Java white papers, product information, case studies and webcasts
|
News
News
News
|
Messages: 17
Messages: 17
Messages: 17
Printer friendly
Printer friendly
Printer friendly
Post reply
Post reply
Post reply
XML
XML
XML
|
 |
ProGuard 1.5: Open Source Class File Shrinker / Obfuscator
A new version, 1.5, of ProGuard has been released on SourceForge. ProGuard is a Java class file shrinker and obfuscator, that can detect and remove unused classes, fields, methods, and attributes. It can then rename the remaining classes, fields, and methods using short meaningless names.
Changes for Version 1.5:
Fixed processing of retrofitted library interfaces
Fixed processing of .class constructs in internal classes targeted at JRE1.2 (the default in JDK1.4)
Fixed -dump option when -outjar option is not present
Updated documentation and examples
Check out ProGuard
Do many of you obfuscate your code?
What obfuscators do you use?
|
|
|
Message #70871
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Yes
Yes - I use an obfuscater whenever delivering jar files
to external customers.
I use an old piece of software called JMangle.
Old, but easy to use and apperently does the job well.
|
|
|
Message #70885
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Is it configurable?
One thing I would worry about with code chrinkers is the removal of methods it 'thinks' are unnecessary. I was using IDEA to inspect some code last night and found several methods in which the IDE thought could be removed. But we are using Digester for some of our code and relying upon reflection to invoke the methods when necessary. I would assume this software would think these methods were not used as well since they are never 'directly' called in code.
Any one have experience with similar situations?
Jim
|
|
|
Message #70898
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Obscurity or Size?
Why are people using obfuscators? Is it for security through obscurity or for the size/performance impacts?
Dave Wolf
|
|
|
Message #70902
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
for obscurity
I use them to prevent access to easily understandable source code. Size/performance is not one of the reasons.
|
|
|
Message #70927
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Is it configurable?
I don't think anything should ever remove public classes and/or methods. You might be deploying your jar as a library and then.. Not to mention reflection etc.
Removing unused private methods is safe though. (if you're doing reflection on private methods I would say something is wrong with your code..)
All the rest is debatable and should be probably configurable.
Regards,
Vlad
|
|
|
Message #70936
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
J2ME can't breathe without an obfuscator!
I am currently developping J2ME applications and there I can surely say you can't deploy any serious application without obfuscation. And Proguard does a great job there!
In J2ME the main benefit of obfuscation is in shrinking the size of the code.
I have used Retroguard (www.retrologic.com) but from my experience Proguard produces about 5% smaller jars.
The security aspect is also important but it is not gonna be as easy to get the jar file of the J2ME application once OTA capable phones become available as it is with applets.
In J2ME the removal of unused methods and classes is of great help, because otherwise I would have to do it by hand. Without such a tool it won't be possible to write a descent J2ME library. I'll have to rip it off in every application and it will be just easier to write a lot of stuff a new.
Does anybody know if Proguard removes methods that are not called at all, or methods which call stacks are not invoked?
|
|
|
Message #70958
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
with a test suite ...
Maybe if you have a good test suite for your application you can remove unused classes more safety.
|
|
|
Message #70961
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Incremental Obfuscation
this software do not manage incremental obfuscation which is essential to incremental jar update in java web start for example (in fact a few does !)
|
|
|
Message #70965
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Other obfuscators: Alphaworks JAX
What does it do that JAX http://alphaworks.ibm.com/tech/JAX didn't do in 1998?!
I know that it hasn't been developed (at least in the Alphaworks version) since then, but IIRC, JAX also does method devirtualisation, class merging and other stuff...
I haven't needed to use it for a long time, but the only issue I remember having with it was that it took ages to work through all the features and work out what they did...
/david
|
|
|
Message #71072
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Common Things can Foil Obfuscation
I was taked with adding obfuscation to a medium-sized client/sever pair w/java 1.1 and here were my observations:
- any methods that are accesssed via reflection need to be excluded from obfuscation
- any classes that are loaded via Class.forName("foo") need to be excluded from obfuscation
- properly obfuscating swing applications is very difficult due to the dynamic nature of the swing components
- expect to spend several iterations of full regression sweeps to validate the obfuscated product
- if you are adding obfuscation late in the development cycle, expect to produce parallel builds (obfuscated and non obfuscated) so that QA can repro bugs. One big problem with debugging obfuscated code is the fact that you will not get a stack trace that's meaningful.
- obfuscation will drastically reduce your jarsize and your memory footprint
- good luck patching an obfuscated applicaiton in the field. You will probably have to redeliver a new jar instead of just the updated classes.
|
|
|
Message #71086
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Not my experience
A good obfuscater allows you to specify that public
class/member/method names are not to be mangled.
A good obfuscator produces a map of mangled names that can
be used to analyze a stacktrace.
My experience with JMangle is just run it and ship the
result and forget about it.
OK - it has also been our experience that we need
to distribute full jars. But we would have wanted to
do that anyway.
|
|
|
Message #71239
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
ProGuard 1.5: Open Source Class File Shrinker / Obfuscator
Thank you all for your interest in ProGuard. Even when processor speeds and memory capacity are increasing all the time, I personally liked the idea of my code being made a bit leaner, without much effort. For simple applications or libraries, processing the code can be trivial. For code that uses a lot of introspection, shrinking and obfuscation can be more complicated.
In any case, ProGuard was designed to be easily configurable, so it can scale with increasingly complex code. For example, ProGuard accepts the following option:
-keep public class * extends java.applet.Applet
This would preserve all public applets, including other classes, methods, and fields that are required in the output jar. Note that ProGuard automatically recognizes Class.forName calls with constant string arguments. It also gives hints about other classes that you may want to keep because they might be created dynamically.
Similarly, one can preserve all applications in the input jars:
-keepclasseswithmembers public class * {
public static void main(java.lang.String[]);
}
In some cases, one wants to preserve all classes that implement an interface:
-keep public class mypackage.** implements MyInterface
The templates allow to quickly specify entire groups of classes, methods, and fields, constraining them based on their access flags, names, interfaces or superclasses, and class members. The templates are more resilient against changes than, say, a fixed set of names. This simple and robust configuration is probably the chief advantage of ProGuard compared to other obfuscators. Please feel free to download it and report your experiences.
Eric (author of ProGuard).
|
|
|
Message #71801
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Class.forName()
- any classes that are loaded via Class.forName("foo") need to be excluded from obfuscation
This is IMO not true for ProGuard.
|
|
|
| New content on TheServerSide.comNew content on TheServerSide.comNew content on TheServerSide.com |
|
|
Reza Rahman explores the features of the proposed JSR 299, Contexts and Dependency Injection for Java EE (CDI). When approved, it promises to be a key feature of Java EE 6.
(November 2, Article)
SAML is an XML-based standard for exchanging authentication and authorization data between security domains. The single most important problem that SAML was created to solve is the Web browser Single Sign-On problem. Many organizations are debating whether to stay with version 1.1 or move to 2.0. This article makes observations about both options.
(September 28, Article)
Joe Ottinger takes a look at how people learn, and applies it to the practice of programming. He notes that understanding how people learn is an essential part of working in a programming team.
(September 22, Article)
Stephen Maryka gave us an article about the Asynchronous Web and posed a number of questions that get examined like an approach to delivering Asynchronous Web capabilities through extensions to existing Java EE technologies.
(July 14, Article)
JavaServer Faces Flex goal is to provide users capability in creating standard Flex components, part of flexSDK which is open sourced through MPL license, as normal JSF components. This article by Ji Hoon Kim will provide an overview of creating a simple multilingual JSF page consisting of JSF Flex tags.
(June 29, Article)
In this session Jeff explores the key characteristics of successful SOA projects. He covers some of the patterns, and anti-patterns, tool sets, and strategies that he himself learned the hard way. Last, he provides a strategy and blueprint for achieving a high likelihood of success in your SOA project.
(June 23, Tech Talk)
Ari Zilka, CTO of Terracotta, Inc., talks about the new features in Terracotta 3.1, announced during JavaOne and available now.
(June 15, Tech Talk)
In this Tech Talk, Josh Long explores an integration challenge using Spring Integration and walks through the implementation, employing and expanding on the basic patterns of Enterprise Application Integration to tie together components into a function integration solution, and then demonstrates how Spring Integration helps address the integration requirements.
(June 15, Tech Talk)
In this Tech Talk, David Geary teaches you: The basics of Google Web Toolkit; How to implement Ajax-enabled applications in Java; Internationalization; Hooking into the browser history mechanism; Remote procedure calls.
(June 4, Tech Talk)
Jon Kern discusses the best architecture/technical solutions and ensure that they are repeated by all developers. By tackling the architecture up-front in a serial manner, subsequent parallel development will be much more manageable and predictable.
(May 28, Tech Talk)
This keynote describes the frustrations of modern knowledge workers in their quest to actually get some work done, and solutions for how to guard yourself against all those distractions. Neal Ford talks about environments, coding, acceleration, automation, and avoiding repetition as ways to defeat the misguided attempts to sap your ability to produce good work.
(May 26, Tech Talk)
Gil demonstrates how new, aggressive uses of already abundant compute capacity by common applications offer competitive value for application designers.
(May 21, Tech Talk)
Chris Keene introduces WaveMaker as a new way to automate the ability to generate Hibernate classes in order to more quickly bring OR mapping into an application.
(May 19, Article)
In this session Nati Shalom demonstrates how to take a standard Java EE web application and scale it out or down dynamically without changes to the application code. Seeing as most web applications are over-provisioned to meet infrequent peak loads, this is a dramatic change because it enables growing your application as needed, when needed, without paying for unutilized resources.
(May 19, Tech Talk)
Download the entire book of Jakarta-Struts Live and learn about Struts MVC, Tiles, the Validator, DynaActionForms, plug-ins, internationalization, and more.
(Book PDF Download)
The Application Server Matrix is a detailed listing of J2EE vendors and their application server products, with information on latest version numbers, J2EE spec support and licensing, pricing, platform support, and links to product downloads and reviews.
(Application Server Comparison Matrix)
|
|
