DEV Community

Cover image for Awesome Java Security πŸ•Άβ˜•πŸ”
Stefan Streichsbier
Stefan Streichsbier

Posted on

Awesome Java Security πŸ•Άβ˜•πŸ”

The first version of Java was released on January 23, 1996. Since then Java is said to run on over 3 billion devices. Many of these devices are web servers.

Java is one of the top 5 most popular technologies, according to the 2018 StackOverflow survey.

For this reason, I've compiled a curated list of awesome-java-security resources to help devs code securely with Java.

GitHub logo guardrailsio / awesome-java-security

Awesome Java Security Resources πŸ•Άβ˜•πŸ”

A curated list of awesome Java security-related resources.


List inspired by the awesome list thing.

Supported by:



Web Framework Hardening

  • Apache Shiro - A powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
  • JJWT - Java JWT: JSON Web Token for Java and Android.
  • OWASP ESAPI Java - Enterprise Security API is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
  • PAC4J - Security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.
  • Spring Security - A powerful and highly customizable authentication and access-control framework.
  • Spring Security Oauth - Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.

Multi tools

  • hawkeye - Multi-purpose security/vulnerability/risk scanning tool supporting Ruby, Node.js, Python, PHP and…

Did I miss anything? Let me know in the comments.

And, please leave a like (or ⭐ the repo) if you find it useful.

Top comments (6)

perkinsjr profile image
James Perkins

Maybe add SonarQube, its a pretty big hit in the Java industry and inspects for such items as Unused Code, Coding Convention, Performance Hotspot, Resource Leak, Multi-Threading, Null-Pointer Dereference, Error Handling, Injection Vulnerabilities everytime you check in. Free for Open source, one of my go to security checkers.

streichsbaer profile image
Stefan Streichsbier

Good one, James. Already added it here.

One thing to consider with SonarQube is that while it is a great and very mature solution, it works much better for quality related bugs, than for security bugs.

To quote from their docs:

"To be clear, the standard for most rules implemented in SonarQube language plugins is very strict: no false positives. [..] But for security-related rules, the story is a little different. [..]
That's why security-related rules cast a wider net than you may be used to seeing.
The idea is that the rule will flag anything suspicious, and leave it to the human security auditor to cull the false positives and sent the real issues for remediation."

perkinsjr profile image
James Perkins

Thanks for adding it!

Yes whilst they aren't in the game of security their wide catch of flagging has caught some things in the past that as developers we have looked into.

Nice work on the listing I have starred it for future looks

cpu profile image
Daniel McCarney

Great list Stefan! I submitted a pull request to add one of my favourite ACME clients which just so happens to be Java based :-)

streichsbaer profile image
Stefan Streichsbier

Thanks a lot for the contribution Daniel πŸ™πŸ»
Already merged your PR!

sachinp9192 profile image

Great article. Thanks same.