An ongoing collection of java language tools and frameworks, software, libraries, learning tutorials, frameworks, academic and practical resources. Thanks to all contributors, you're awesome and wouldn't be possible without you! Our goal is to build a categorized community-driven collection of very well-known resources.
- Apache Shiro - A powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
- JJWT - Java JWT: JSON Web Token for Java and Android.
- OWASP ESAPI Java - Enterprise Security API is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
- PAC4J - Security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.
- Spring Security - A powerful and highly customizable authentication and access-control framework.
- Spring Security Oauth - Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.
- hawkeye - Multi-purpose security/vulnerability/risk scanning tool supporting Ruby, Node.js, Python, PHP and Java.
- GuardRails - A GitHub App that gives you instant security feedback in your Pull Requests.
- Spotbugs - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
- Find Security Bugs - SpotBugs plugin for security audits of Java web applications and Android applications.
- Detect Secrets - An enterprise friendly way of detecting and preventing secrets in code.
- Gitrob - Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github.
- Sonarqube - SonarQube provides the capability to show the health of an application and highlight newly introduced issues.
- Oversecured - A static analyzer for Android apps (APK files), searches for security vulnerabilities. Contains 90+ vulnerability categories.
- Code Pulse - Code Pulse is a real-time code coverage tool for penetration testing activities.
- OWASP ZAP - Helps automatically find security vulnerabilities in your web applications.
- Contrast Community Edition - Free runtime protection and vulnerability detection tool, identifying issues in running applications.
- OWASP Dependency-Check - Detects publicly disclosed vulnerabilities in application dependencies.
- Snyk - CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies.
- Snyk Vulnerability DB - Commercial but free listing of known vulnerabilities in libraries.
- Common Vulnerabilities and Exposures - Vulnerabilities that were assigned a CVE. Covers the language and packages.
- National Vulnerability Database - Java known vulnerabilities in the National Vulnerability Database.
- Contrast Community Edition - Free tool to locate CVEs and outdated dependencies in libraries.
- Bouncy Castle - Java implementation of cryptographic algorithms.
- Conscrypt - Java Security Provider that implements parts of the Java Cryptography Extension and Java Secure Socket Extension.
- Cryptomator - Multi-platform transparent client-side encryption of your files in the cloud.
- Keyczar - Easy-to-use crypto toolkit by Google.
- Keywhiz - System for distributing and managing secrets.
- Tink - Multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
- ACME4J - Java ACME client for issuing X.509 certificates using Let's Encrypt or another ACME based CA.
- BodgeIt Store - A vulnerable web application aimed at people who are new to pen testing.
- OWASP Benchmark - A Java test suite designed to verify the speed and accuracy of vulnerability detection tools.
- Security Shepherd - Web and mobile application security training platform.
- WebGoat - A deliberately insecure Java Web Application.
- Java Platform, Standard Edition Security Developer’s Guide - This guide covers major Java Standard Edition security components: Java Cryptography Architecture (JCA), Java Authentication and Authorization Service (JAAS) and Java Secure Socket Extensions (JSSE)
- Application Security Verification Standard - (PDF) The standard is a list of application security requirements that can be used by developers.
- Spring Security CSRF - A Guide to CSRF Protection in Spring Security.
- Secure Coding Guidelines - Secure Coding Guidelines for Java SE
- Securing a Web Application - This guide walks you through the process of creating a simple web application with resources that are protected by Spring Security.
- Spring Security Guides - Step by step guides on how to use Spring Security.
- Prevent cross-site scripting (XSS) attacks - This article explains how XSS attacks work and suggests a methodology to block XSS attacks.
- Java Security Resource Center - A collection of security details for different users of the Java Platform.
- Encrypting with SSL/TLS Step by step guide for encrypting client and server communication
- JSR 115: Java Authorization Contract for Containers
- JSR 196: Java Authentication Service Provider Interface for Containers
- JSR 375: Java EE Security API
Found an awesome project, package, article, or another type of resources related to Java Security? Open a pull request!
MIT License & cc license
This work is licensed under a Creative Commons Attribution 4.0 International License.
To the extent possible under law, Paul Veillard has waived all copyright and related or neighboring rights to this work. Just follow the guidelines. Thank you!