Use a secure framework like Spring Security for authentication, CSRF protection, and session management. 2. Validate and sanitize all input using Bean Validation and output encoding to prevent injection and XSS. 3. Prevent common vulnerabilities such as XSS, SQL injection, CSRF, IDOR, and misconfiguration by using secure coding practices and security headers. 4. Implement secure authentication and session management with strong hashing, MFA, secure cookies, and short timeouts. 5. Enforce HTTPS with TLS, HSTS, and strong ciphers for secure communication. 6. Apply proper access controls using RBAC or ABAC with authorization checks on all endpoints. 7. Secure dependencies and configuration by scanning for vulnerabilities and managing secrets externally. 8. Log and monitor security events without recording sensitive data, using centralized logging and alerts. 9. Perform regular security testing through code reviews, static analysis, and penetration testing. 10. Keep the JVM, framework, and server updated with the latest security patches to protect against known vulnerabilities. Securing a Java web application requires continuous effort across all layers, starting with a solid framework and following the principle of never trusting, always verifying.

Securing a web application in Java involves multiple layers of protection—from input validation to authentication and secure deployment. Here are key practices to follow, broken down into essential areas:

1. Use a Secure Framework (Like Spring Security)

Start with a battle-tested security framework. Spring Security is the most widely used in the Java ecosystem and provides built-in support for:

• Authentication and authorization
• CSRF protection
• Session management
• OAuth2 and OpenID Connect
• Method-level security

Example: Enable basic security in Spring Boot with minimal configuration:

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(authz -> authz
                .requestMatchers("/public/**").permitAll()
                .anyRequest().authenticated()
            )
            .formLogin(withDefaults())
            .httpBasic(withDefaults());
        return http.build();
    }
}

Always keep your framework dependencies updated to avoid known vulnerabilities.

2. Validate and Sanitize All Input

Never trust user input. Validate and sanitize data on both client and server sides.

• Use Bean Validation (JSR 380) with annotations like @NotNull, @Size, @Pattern
• Sanitize inputs that go into HTML, SQL, or OS commands
• Reject malformed or suspicious payloads

Example:

public class UserForm {
    @NotBlank
    @Email
    private String email;

    @Size(min = 6, max = 100)
    private String password;
}

Also, use libraries like OWASP Java Encoder or JSoup to escape output and prevent XSS.

3. Prevent Common Web Vulnerabilities

Be aware of the OWASP Top 10 and address them:

• Cross-Site Scripting (XSS): Escape output using proper encoding (e.g., HTML, JavaScript, URL encoding).
• SQL Injection: Use prepared statements or JPA/Hibernate with parameterized queries—never concatenate SQL.
• CSRF: Enable CSRF protection (Spring Security does this by default for stateful apps).
• Insecure Direct Object References (IDOR): Enforce authorization checks on every request.
• Security Misconfiguration: Disable debug modes, hide server banners, and use secure headers.

Add security headers via filters or framework config:

http.headers().contentSecurityPolicy("default-src 'self'");

4. Secure Authentication and Session Management

• Use strong password policies and bcrypt/argon2 for hashing (never store plain text).
• Implement multi-factor authentication (MFA) for sensitive apps.
• Set secure session cookies:

http.sessionManagement(session -> session
    .invalidSessionUrl("/login?expired")
    .sessionFixation().migrateSession()
)
.cookieConfig(cookie -> cookie
    .secure(true)        // HTTPS only
    .httpOnly(true)      // Not accessible via JavaScript
    .sameSite("STRICT")  // Prevent CSRF
);

• Set short session timeouts and allow admin to revoke sessions.

5. Use HTTPS and Secure Communication

• Always use TLS (HTTPS) in production.
• Redirect HTTP to HTTPS.
• Use strong ciphers and keep your Java truststore updated.
• Consider HSTS (HTTP Strict Transport Security):

http.headers().httpStrictTransportSecurity()
    .maxAgeInSeconds(31536000)
    .includeSubDomains(true);

6. Apply Proper Access Controls

• Use role-based (RBAC) or attribute-based (ABAC) access control.
• Enforce checks on every endpoint:

@PreAuthorize("hasRole('ADMIN')")
public void deleteUser(Long id) { ... }

• Avoid horizontal/vertical privilege escalation.

7. Secure Dependencies and Configuration

• Use tools like OWASP Dependency-Check or Snyk to scan for vulnerable libraries.
• Never hardcode secrets (passwords, API keys). Use:
  • Environment variables
  • External configuration servers (e.g., HashiCorp Vault)
  • Spring Cloud Config with encryption

Example in application.yml:

spring:
  datasource:
    password: ${DB_PASSWORD}

8. Log and Monitor Security Events

• Log authentication attempts, access denials, and privileged actions.
• Avoid logging sensitive data (passwords, tokens).
• Use centralized logging (e.g., ELK, Splunk) and set up alerts.

Example:

logger.warn("Failed login attempt for user: {}", username);

9. Regular Security Testing

• Perform code reviews with a security focus.
• Run static analysis tools (e.g., SonarQube, SpotBugs with security plugins).
• Conduct penetration testing and DAST scans (e.g., OWASP ZAP).
• Fix vulnerabilities quickly and track them in a CVE database.

10. Keep the JVM and Server Updated

• Run the latest stable version of Java (preferably LTS with security patches).
• Harden the JVM with security managers (if applicable) and secure java.security settings.
• Keep your application server (Tomcat, Jetty, etc.) updated and minimal.

Securing a Java web app isn't a one-time task—it's ongoing. Start with a solid framework, validate everything, use HTTPS, manage sessions securely, and stay updated. Most breaches happen due to known issues that were left unpatched.

Basically, follow the principle: never trust, always verify.

The above is the detailed content of How to secure a web application in Java?. For more information, please follow other related articles on the PHP Chinese website!