springboot-xjar加密打包

最近項目需要部署到外網客戶的服務器上，為了提高安全性需要將jar包加密，在網上找到了一個組件xjar發特此記錄下。

項目結構

就是一個特別簡單的springboot項目：

src/main/resources

└─resources
        application-dev.yml
        application-pre.yml
        application-test.yml
        application.yml 
        bootstrap.yml # 測試空文件
        logback.xml # 測試空文件

application.yml

server:
  port: 8080

spring:
  profiles:
    active: '@profileActive@' 
  jackson: # 配置日期格式化方式
    date-format: yyyy-MM-dd HH:mm:ss
    time-zone: GMT+8
    serialization: 
      write-dates-as-timestamps: false

pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

	<modelVersion>4.0.0</modelVersion>
	<groupId>com.bart.springboot</groupId>
	<artifactId>springboot-xjar</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<packaging>jar</packaging>
	<description>springboot-xjar</description>
	<!-- 配置編譯版本和編碼格式 -->
	<properties>
		<maven.compiler.encoding>UTF-8</maven.compiler.encoding>
		<maven.compiler.target>1.8</maven.compiler.target>
		<maven.compiler.source>1.8</maven.compiler.source>
        <skipTests>true</skipTests>
	</properties>

	<!-- Inherit defaults from Spring Boot -->
	<parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>2.1.4.RELEASE</version>
	</parent>

	<dependencies>
	
		<!-- springcloud 的 starter  -->
		<dependency>
			<groupId>org.springframework.cloud</groupId>
			<artifactId>spring-cloud-starter</artifactId>
			<version>2.0.1.RELEASE</version>
		</dependency>	
			
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-test</artifactId>
			<scope>test</scope>
		</dependency>


		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-configuration-processor</artifactId>
			<optional>true</optional>
		</dependency>

		<!-- https://mvnrepository.com/artifact/com.github.core-lib/xjar -->
		<dependency>
			<groupId>com.github.core-lib</groupId>
			<artifactId>xjar</artifactId>
			<version>v2.0.6</version>
		</dependency>


	</dependencies>

	<!-- 設置 jitpack.io 倉庫 -->
	<repositories>
		<repository>
			<id>jitpack.io</id>
			<url>https://jitpack.io</url>
		</repository>
	</repositories>

	<!-- 設置 jitpack.io 插件倉庫 -->
	<pluginRepositories>
		<pluginRepository>
			<id>jitpack.io</id>
			<url>https://jitpack.io</url>
		</pluginRepository>
	</pluginRepositories>

	<!-- profile配置 -->
	<profiles>
		<profile>
			<id>dev</id>
			<properties>
				<profileActive>dev</profileActive>
			</properties>
			<activation>
				<activeByDefault>true</activeByDefault>
			</activation>
		</profile>
		<profile>
			<id>test</id>
			<properties>
				<profileActive>test</profileActive>
			</properties>
		</profile>
		<profile>
			<id>pre</id>
			<properties>
				<profileActive>pre</profileActive>
			</properties>
		</profile>
	</profiles>
	
	
	<build>
		<resources>
			<resource>
				<directory>src/main/resources</directory>
				<includes>
					<include>application-${profileActive}.yml</include>
					<include>application.yml</include>
					<include>logback.xml</include>
					<include>com/**</include>
					<include>delivery/**</include>
				</includes>
				<filtering>true</filtering>
			</resource>
		</resources>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
				<!-- <version>2.1.4.RELEASE</version> -->
				<executions>
					<execution>
						<goals>
							<goal>repackage</goal>
						</goals>
					</execution>
				</executions>
			</plugin>
			<plugin>
				<groupId>com.github.core-lib</groupId>
				<artifactId>xjar-maven-plugin</artifactId>
				<version>v2.0.6</version>
				<executions>
					<execution>
						<id>xjar</id>
						<goals>
							<goal>build</goal>
						</goals>
						<phase>package</phase>
						<configuration>
							<password>${xjar.password}</password>
							<includes>
								<include>com/**</include>
							</includes>
						</configuration>
					</execution>
				</executions>
			</plugin>
		</plugins>
	</build>
	
</project>

springboot項目啟動類

import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@SpringBootApplication
@RestController
public class Application {
	
	public static void main(String[] args) {
		SpringApplication.run(Application.class, args);
	}
	
	@Value("${server.port}")
	Integer port;
	
	@Value("${spring.profiles.active}")
	String active ;
	
	@GetMapping("/")
	public String hello() {
		return "hello springboot! port = "+ port +", active = "+ active;
	}
	
	
}

打包測試

mvn clean package -Dmaven.test.skip=true -Pdev -U -pl ./ -am -e -Dxjar.password=123456 -Dxjar.targetDir=./target
# 命令解釋
-P: 觸發dev環境的profile
-U: 強制更新
-pl: 打包聚合工程的時候用到
clean deploy -Dmaven.test.skip=true -pl project-a (只構建其中一個)
clean deploy -Dmaven.test.skip=true -pl project-a,project-b,project-c (只構建其中三個個)

-am: 打當前項目的及依賴的包
-e: 打印詳情

打包成功后在target目錄生成后綴為.xjar文件就是加密后的jar包：

例如：springboot-xjar-0.0.1-SNAPSHOT.xjar啟動該jar包方式和正常jar包一樣只不過需要輸入密碼。

C:\Users\springboot-xjar\target>java -jar springboot-xjar-0.0.1-SNAPSHOT.xjar
password:****** # 這里手動輸入密碼就是 -Dxjar.password 的值

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::        (v2.1.4.RELEASE)

2022-03-25 23:29:52.001 [main] INFO  com.spboot.Application - The following profiles are active: dev
2022-03-25 23:29:53.919 [main] INFO  org.apache.coyote.http11.Http11NioProtocol - Initializing ProtocolHandler ["http-nio-8081"]
2022-03-25 23:29:53.943 [main] INFO  org.apache.catalina.core.StandardService - Starting service [Tomcat]
2022-03-25 23:29:53.944 [main] INFO  org.apache.catalina.core.StandardEngine - Starting Servlet engine: [Apache Tomcat/9.0.17]
2022-03-25 23:29:54.087 [main] INFO  o.a.c.core.ContainerBase.[Tomcat].[localhost].[/] - Initializing Spring embedded WebApplicationContext
2022-03-25 23:29:56.464 [main] INFO  org.apache.coyote.http11.Http11NioProtocol - Starting ProtocolHandler ["http-nio-8081"]
2022-03-25 23:29:56.773 [main] INFO  com.spboot.Application - Started Application in 16.799 seconds (JVM running for 21.149)

結束語

但是該組件嚴格意義上來說也不算絕對安全，網上已經有破解的方法，但是作為一般的加密也夠用了。

參考博客1

參考博客2

破解xjar