Java Security Frameworks

A list of third party (i.e. not part of Java SE or EE) security frameworks. This page contains a list of Java security libraries and frameworks and indicates which security features each library supports.

Enterprise

 * Apache Shiro is a Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.
 * Spring Security provides comprehensive security services for Java EE-based enterprise software applications. Services include authentication, authorization and protection against attacks like session fixation, clickjacking and cross site request forgery. There is a particular emphasis on supporting projects built using the Spring Framework, but it is a powerful security solution for standard Java EE applications as well.
 * OWASP Enterprise Security API a new OWASP project to provide all essential security services under one roof.
 * HDIV A web application security framework that provides a number of functions.

Access Control (Authentication and Authorization)

 * jGuard - jGuard is written in Java. Its goal is to provide a security framework based on JAAS (Java Authentication and Authorization Security). The framework is written for web and standalone applications, to easily provide solutions for access control problems.
 * OACC - OACC is an application security framework for Java designed for fine grained (object level) access control. OACC uses the abstraction of a resource for the application objects being secured. This key abstraction enables OACC to provide a rich API that includes grant, revoke and query capabilities for storing and managing the application's security relationships.

Encryption

 * Keyczar is an open source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications. Keyczar supports authentication and encryption with both symmetric and asymmetric keys.
 * Bouncycastle - Lightweight Java cryptography API provider.
 * Jasypt - Jasypt is a java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works.

Cross Site Scripting (XSS)

 * OWASP Java Encoder Project is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies to help Java web developers defend against Cross Site Scripting.
 * OWASP Java HTML Sanitizer Project is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.
 * OWASP Java JSON Sanitizer is a tool to convert JSON-like content to valid JSON! The OWASP JSON Sanitizer Project is a simple to use Java library that can be attached at either end of a data-pipeline
 * OWASP AntiSamy is a library for HTML and CSS encoding.

XML Security

 * The Apache Santuario project is aimed at providing implementation of the primary security standards for XML: XML-Signature Syntax and Processing and XML Encryption Syntax and Processing.

CSRF Defense

 * The CSRF Project is a CSRF defense library that is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.

Validation

 * Vlad stands for "validation". This projects indeed aims at offering a simple, high-level, extensible, generic validation framework that can easily be integrated into existing applications.