新年贺卡，给你不一样的祝福

Verify all inputs and use precompiled statements to prevent SQL injection, use OWASP Java Encoder to defend against XSS, and implement whitelist verification; 2. Use tools such as OWASP Dependency-Check to scan dependencies regularly, update third-party libraries in a timely manner, minimize dependency scope and generate SBOM; 3. Use frameworks such as Spring Security to implement authentication and authorization, support MFA and OAuth 2.0/SSO, follow the principle of minimum permissions and record audit logs; 4. Avoid hard-code sensitive information, use Vault or K8s Secrets to manage keys, disable debugging information in the production environment, close non-essential ports, and enable HTTPS and secure TLS configuration; 5. Use Spring Security manages sessions, sets the Secure, HttpOnly and SameSite properties of cookies, reasonably configure timeouts and destroys sessions when logging out; 6. Records key events such as login and permission changes, avoids log leakage of sensitive data, use ELK or Splunk to centrally monitor and set alarms; 7. Disables dangerous APIs such as Runtime.exec() and deserialization, regularly conducts code audits and penetration tests, and integrates static analysis tools such as SonarQube and Checkmarx; 8. Run applications with non-root users, configures JVM parameters to limit resources, enables security managers and monitors JVM indicators to prevent DoS attacks; Java enterprise application security needs to run through the entire life cycle, and the protection level is continuously improved through SDL processes combined with automation tools and training.

Java remains one of the mainstream languages for enterprise-level application development, especially in finance, telecommunications and large-scale management systems. However, as attack methods continue to evolve, ensuring the security of Java enterprise applications has become crucial. Here are some key security best practices for Java enterprise applications, covering coding, configuration, dependency management, and runtime protection.

1. Input verification and prevention of injection attacks

Input verification is the first line of defense to prevent most common vulnerabilities.

• Never trust user input : Verify all inputs from front-end, API, files, databases, and even internal services.
• Prevent SQL injection using parameterized queries or precompiled statements :

   String sql = "SELECT * FROM users WHERE username = ?";
  PreparedStatement pstmt = connection.prepareStatement(sql);
  pstmt.setString(1, username);

• For ORM frameworks such as Hibernate, use named parameters or Criteria APIs to avoid splicing HQL.
• Prevent XSS (cross-site scripting): Encoding data output to HTML pages (such as using OWASP Java Encoder):

   String safeOutput = Encode.forHtml(userInput);

• Verify input formats (such as regular expressions, type checking, length limit) using whitelists.

2. Safely manage dependencies and third-party libraries

Enterprise projects often rely on a large number of third-party libraries that may introduce known vulnerabilities.

• Regularly scan for dependencies : Use tools such as:
  • OWASP Dependency-Check
  • Snyk
  • Maven/Gradle plug-in integration CI/CD process
• Update library version in time : Pay attention to security announcements (such as Log4Shell) of common libraries such as Spring, Jackson, Log4j, etc.
• Minimize dependency scope : Only the necessary libraries are introduced to avoid the risks brought by "transmitting dependencies".
• Use SBOM (Software Bill of Materials) to record all components for easy auditing and response to vulnerabilities.

3. Identity authentication and authorization mechanism

Enterprise applications must implement strong identity authentication and fine-grained authorization.

• Use mature security frameworks such as:
  • Spring Security (recommended)
  • Apache Shiro
• Implement multi-factor authentication (MFA) for sensitive operations.
• Third-party integration or single sign-on (SSO) using OAuth 2.0/OpenID Connect .
• Follow the principle of Least Privilege:
  • Access control based on roles (RBAC) or attributes (ABAC)
  • Avoid hard-coded permission logic
• Implement audit logs in critical operations to record who, when, and what.

4. Security configuration and sensitive information management

Incorrect configuration can cause serious security issues.

• Do not hardcode passwords, keys, API tokens in code or configuration files :
  • Use environment variables
  • External configuration centers (such as Spring Cloud Config, Hashicorp Vault)
  • Kubernetes Secrets or AWS Secrets Manager
• Disable debugging functionality and stack information to expose it to production environments:

   // Avoid returning exceptions directly to the front-end @ControllerAdvice
  public class GlobalExceptionHandler {
      @ExceptionHandler(Exception.class)
      public ResponseEntity<String> handleGenericException() {
          return ResponseEntity.status(500).body("Internal server error");
      }
  }

• Close unnecessary services and ports (such as JMX, debug endpoints).
• Enable HTTPS and configure a secure TLS version (TLS 1.2), disable weak encryption suites.

5. Session Management and Cookie Security

Insecure session management can lead to session hijacking.

• Use secure session mechanisms (such as Spring Security's Session Management).
• Set Cookie Security Properties:
  • Secure : Transfer via HTTPS only
  • HttpOnly : Prevent JavaScript access (prevent XSS theft)
  • SameSite=Strict or Lax : Prevent CSRF
• Set a reasonable session timeout:

   http.sessionManagement()
      .invalidSessionUrl("/login?expired")
      .maximumSessions(1)
      .maxSessionsPreventsLogin(false);

• Explicitly destroy the session when the user logs out.

6. Logging and monitoring

Logs are the key to detecting and responding to security incidents.

• Record critical security events: login attempts (success/failure), permission changes, sensitive operations.
• Avoid recording sensitive information (such as password, ID number, credit card) in the log.
• Use a centralized logging system (such as ELK, Splunk) and set alarm rules.
• Regularly review logs to identify abnormal behaviors (such as brute force cracking, abnormal access time).

7.Safe coding habits and code auditing

Good coding habits can reduce the introduction of vulnerabilities.

• Avoid using unsafe APIs:
  • Runtime.exec() (Command Injection Risk)
  • System.setProperty() (affects JVM security policies)
  • Deserialization (especially ObjectInputStream ), it is recommended to use JSON instead.
• Use SecurityManager (although deprecated in newer versions, it is valuable in some scenarios).
• Regular code audits and penetration testing .
• Use the static analysis tool:
  • SonarQube (Integrated FindSecBugs)
  • Checkmarx
  • Fortify

8. JVM and runtime security

Enterprise applications usually run in a controlled environment, but still need to pay attention to runtime security.

• Run Java applications as non-root users.
• Set reasonable JVM parameters and limit resource usage:

   java -Djava.security.manager \
       -Xmx512m -Xms256m \
       -XX: DisableExplicitGC \
       -jar app.jar

• Enable Security Manager (if fine control permissions are required) and configure the java.policy file.
• Monitor JVM metrics (memory, threads, GC) to prevent DoS-like attacks.

Basically these core points. The security of Java enterprise applications is not a one-time task, but a continuous process throughout the entire life cycle of development, deployment, and operation and maintenance. Only by establishing a safe development life cycle (SDL) process, combined with automation tools and regular training, can we truly improve the overall safety level.

The above is the detailed content of Java Security Best Practices for Enterprise Applications. For more information, please follow other related articles on the PHP Chinese website!