A topic discussed at length in many places. Java is compiled into a well-documented intermediate bytecode language. Anyone with knowledge of the bytecode (which is everyone, since it's public) can decompile your Java applications. Technically no code is "secure" - even native code can be decompiled, but it's an awful lot harder to do that than with Java, where everything is machine-independent and precise, and carries all the metadata about datatypes with it (unlike C++ compiled code which can be told to strip it all away).
Many people have tried, and failed, to find clever ways to encrypt their classes. But fundamentally it just doesn't work with the classloader; for reasons why see
Cracking Java byte-code encryption.
The best you can do is obfuscate your code - i.e. make it as difficult as possible for people to read what is decompiled. There are many tools available to do this. Essentially they all do what C++ does and make the metadata extremely difficult for humans to read while still be intelligible to machines. Then it doesn't become worth the effort to decompile it.
Charles Lyons (SCJP 1.4, April 2003; SCJP 5, Dec 2006; SCWCD 1.4b, April 2004)
Author of OCEJWCD Study Companion for Oracle Exam 1Z0-899 (ISBN 0955160340 / Amazon Amazon UK )