I want to obfuscate J2EE application which uses Struts2 framework, I tried using Proguard but its changing package and class names which does not get reflected stuts.xml file, Is it impossible to obfuscate struts2 web application ? Or any other way ?
In fact, once the sources has been obfuscated, ProGuard generates a log file that can be used to replace class names in xml file, in a grep-like way. Otherwise, it is also possible to exclude classes extending a specific class or interface in proGuard. This way, your struts actions won't be ofbuscated (which is a lamer obfuscation strategy) but the rest of your application will be.
In general, it is a bad idea to obfuscate names in an application running on top of a dynamic framework that relies on reflection, being it OSGi or a Web container. You never know what entities the framework would want to load or query by name, and whether obfuscation might upset the numerous third-party components...
Read more about this and about the three alternatives to obfuscation in Protect Your Java Code - Through Obfuscators And Beyond