使用 ProGuard 混淆 GWT Web 应用程序

发布于 2024-10-15 09:37:12 字数 3752 浏览 6 评论 0原文

我正在尝试使用 Proguard 来混淆我的 GWT (Vaadin) 应用程序。我以前从未混淆过 java 代码,这是我第一次尝试使用 Proguard。

我的配置文件设置如下:

-libraryjars JAVA_HOME\rt.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\appfoundation.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\blackboard-2.1.1.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\cssinject-0.9.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\eclipselink.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\eclipselink-jpa-modelgen_2.0.2.v20100323-r6872.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\gwt-visualization.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\iText-5.0.4.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\javax.persistence_1.0.0.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\javax.persistence_2.0.0.v201002051058.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\vaadin-6.4.4.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\vaadin-calendar-0.5.1.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\vaadin-chameleon-theme-1.0.1.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\VisualizationsForVaadin.jar
-libraryjars "C:\Program Files\eclipse\configuration\com.vaadin.integration.eclipse\download\gwt-dev\2.0.3\gwt-dev.jar"
-libraryjars "C:\Program Files\eclipse\configuration\com.vaadin.integration.eclipse\download\gwt-user\2.0.3\gwt-user.jar"
-injars   test.war
-outjar   test_after.war
-printseeds
-ignorewarnings
-keep public class TestApplication extends com.vaadin.Application {
public void init();
} 

然后使用 proguard 命令执行:

java -jar proguard.jar @test.pro

配置文件没有出现任何错误,但确实收到了很多警告。输出文件已创建,但我担心警告。我需要在配置文件中指定更多 jar 文件吗?我列出了我在应用程序中使用的所有罐子。我还有什么做错的吗?

下面是命令行输出最后 20~ 行的片段,

提前致谢

S.

      Maybe this is library method 'sun.jdbc.odbc.JdbcOdbcStatement { java.sql.Connection getConnection(); }'
      Maybe this is library method 'sun.jdbc.odbc.ee.CommonDataSource { java.sql.Connection getConnection(); }'
      Maybe this is library method 'sun.jdbc.odbc.ee.ConnectionPoolDataSource {java.sql.Connection getConnection(); }'
      Maybe this is library method 'sun.jdbc.odbc.ee.DataSource { java.sql.Connection getConnection(); }'
      Maybe this is library method 'sun.jdbc.odbc.ee.PooledConnection { java.sql.Connection getConnection(); }'
      Maybe this is library method 'sun.rmi.transport.StreamRemoteCall { sun.rmi.transport.Connection getConnection(); }'
Note: org.eclipse.persistence.sdo.helper.DynamicClassWriter accesses a declared method 'writeReplace()' dynamically
      Maybe this is program method 'org.eclipse.persistence.sdo.SDODataObject {java.lang.Object writeReplace(); }'
      Maybe this is program method 'org.eclipse.persistence.sdo.helper.ListWrapper { java.lang.Object writeReplace(); }'
      Maybe this is library method 'com.sun.corba.se.impl.presentation.rmi.InvocationHandlerFactoryImpl$CustomCompositeInvocationHandlerImpl { 
Note: there were 4 unresolved dynamic references to classes or interfaces.
      You should check if you need to specify additional program jars.
Note: there were 10 accesses to class members by means of introspection.
      You should consider explicitly keeping the mentioned class members
      (using '-keep' or '-keepclassmembers').
Warning: there were 3649 unresolved references to classes or interfaces.
         You may need to specify additional library jars (using '-libraryjars').

Warning: there were 173 unresolved references to program class members.
         Your input classes appear to be inconsistent.
         You may need to recompile them and try again.
         Alternatively, you may have to specify the option
         '-dontskipnonpubliclibraryclassmembers'.

I am trying to obfuscate my GWT (Vaadin) application using Proguard. Ive never obfuscated java code before and this is my first attempt using Proguard.

I have my config file set as follows:

-libraryjars JAVA_HOME\rt.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\appfoundation.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\blackboard-2.1.1.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\cssinject-0.9.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\eclipselink.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\eclipselink-jpa-modelgen_2.0.2.v20100323-r6872.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\gwt-visualization.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\iText-5.0.4.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\javax.persistence_1.0.0.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\javax.persistence_2.0.0.v201002051058.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\vaadin-6.4.4.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\vaadin-calendar-0.5.1.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\vaadin-chameleon-theme-1.0.1.jar
-libraryjars MYPATH\test\WebContent\WEB-INF\lib\VisualizationsForVaadin.jar
-libraryjars "C:\Program Files\eclipse\configuration\com.vaadin.integration.eclipse\download\gwt-dev\2.0.3\gwt-dev.jar"
-libraryjars "C:\Program Files\eclipse\configuration\com.vaadin.integration.eclipse\download\gwt-user\2.0.3\gwt-user.jar"
-injars   test.war
-outjar   test_after.war
-printseeds
-ignorewarnings
-keep public class TestApplication extends com.vaadin.Application {
public void init();
} 

I then execute using the proguard command:

java -jar proguard.jar @test.pro

I dont get any errors with the configuration file but i do receive lots of warnings. The output file is created but im concerned about the warnings. Do i need to specify further jar files in my config file? I have listed all the jars that i am using in my application. Is there anything else i am doing wrong?

Below is a snipped of the last 20~ lines of the command line output

Thanks in advance

S.

      Maybe this is library method 'sun.jdbc.odbc.JdbcOdbcStatement { java.sql.Connection getConnection(); }'
      Maybe this is library method 'sun.jdbc.odbc.ee.CommonDataSource { java.sql.Connection getConnection(); }'
      Maybe this is library method 'sun.jdbc.odbc.ee.ConnectionPoolDataSource {java.sql.Connection getConnection(); }'
      Maybe this is library method 'sun.jdbc.odbc.ee.DataSource { java.sql.Connection getConnection(); }'
      Maybe this is library method 'sun.jdbc.odbc.ee.PooledConnection { java.sql.Connection getConnection(); }'
      Maybe this is library method 'sun.rmi.transport.StreamRemoteCall { sun.rmi.transport.Connection getConnection(); }'
Note: org.eclipse.persistence.sdo.helper.DynamicClassWriter accesses a declared method 'writeReplace()' dynamically
      Maybe this is program method 'org.eclipse.persistence.sdo.SDODataObject {java.lang.Object writeReplace(); }'
      Maybe this is program method 'org.eclipse.persistence.sdo.helper.ListWrapper { java.lang.Object writeReplace(); }'
      Maybe this is library method 'com.sun.corba.se.impl.presentation.rmi.InvocationHandlerFactoryImpl$CustomCompositeInvocationHandlerImpl { 
Note: there were 4 unresolved dynamic references to classes or interfaces.
      You should check if you need to specify additional program jars.
Note: there were 10 accesses to class members by means of introspection.
      You should consider explicitly keeping the mentioned class members
      (using '-keep' or '-keepclassmembers').
Warning: there were 3649 unresolved references to classes or interfaces.
         You may need to specify additional library jars (using '-libraryjars').

Warning: there were 173 unresolved references to program class members.
         Your input classes appear to be inconsistent.
         You may need to recompile them and try again.
         Alternatively, you may have to specify the option
         '-dontskipnonpubliclibraryclassmembers'.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

赤濁 2024-10-22 09:37:12

GWT 生成两部分代码。

  1. 客户端代码。这是在浏览器中运行的内容,由用户界面以及对服务器的任何异步调用组成。当您编写 Java 源代码时,它会从源代码直接转换为 Javascript。即 GWT 编译器甚至不查看类文件。要混淆生成的 JS,请使用 GWT 编译器标志(见下文)
  2. 服务器端代码。服务器代码将是您的客户端应用程序调用的端点。例如,您可以调用 GWT RPC 调用并将 GWT servlet 作为端点。像任何其他应用程序一样混淆您的网络应用程序 - 通过 Proguard 或类似的尝试和错误。从一个简单的配置开始,稍微混淆一下,然后从那里继续。

由于 GWT 客户端是从 Java 源代码生成的,因此在提供给 GWT 之前没有简单的方法进行混淆。我想你可以通过 Proguard 进行混淆,然后反编译并将其提供给 GWT 编译器。这似乎有点矫枉过正,但也许是可能的。

混淆的正常方法是向 GWT 编译器指定-style OBF。这将彻底混淆您的代码。尽管收益递减、错误等法则适用,但您可能可以更进一步,通过另一个 JS 混淆器运行它。

我建议您了解当您提供 OBF 作为样式时会生成什么。对于您的目的来说,这可能已经足够了。显然,您在服务器端放置的内容越多(例如安全性、cookie 验证等),客户端中的代码就越不重要。

GWT generates code in two parts.

  1. Client side code. This is what runs in your browser and consists of the user interface plus any async calls to the server. While you write Java source it is transformed from the source straight into Javascript. i.e. the GWT compiler doesn't even look at the class files. To obfuscate the generated JS, use the GWT compiler flags (see below)
  2. Server side code. The server code would be the end points your client app calls. e.g. you might invoke GWT RPC calls and have GWT servlets as end point. Obfuscate your web app like you would any other - trial and error through Proguard or similar. Start off with a simple configuration that lightly obfuscates and then proceed from there.

As the GWT client side is generated from Java source code there is no easy way to obfuscate before feeding to GWT. I suppose you could somehow obfuscate through Proguard and then decompile that and feed it to the GWT compiler. It seems like overkill but it may be possible.

The normal way to obfuscate is to specify -style OBF to the GWT compiler. This will thoroughly obfuscate your code. You could probably go further and run it through another JS obfuscator though the law of diminishing returns, bugs etc. applies.

I suggest you understand what gets generated when you supply OBF as the style. It's probably quite sufficient for your purposes. Obviously the more stuff you put on the server side (e.g. security, cookie validation etc.) the less it matters what code is in the client.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文