Difference between revisions of "Java Security Frameworks"

From OWASP
Jump to: navigation, search
(Enterprise)
(Add OACC to list of security frameworks)
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
A list of third party (i.e. not part of Java SE or EE) security frameworks.
+
A list of third party (i.e. not part of Java SE or EE) security frameworks. This page contains a list of Java security libraries and frameworks and indicates which security features each library supports.  
  
 
==Enterprise==
 
==Enterprise==
 
* [[ESAPI|OWASP Enterprise Security API]] a new OWASP project to provide all essential security services under one roof.
 
* [[ESAPI|OWASP Enterprise Security API]] a new OWASP project to provide all essential security services under one roof.
 +
* [http://www.hdiv.org/ HDIV] A web application security framework that provides a number of functions.
  
== Access Control (Authentication and Authorisation) ==
+
== Access Control (Authentication and Authorization) ==
* [http://www.acegisecurity.org/ Acegi Security] - Acegi Security is a powerful, flexible security solution for enterprise software, with a particular emphasis on applications that use Spring. Using Acegi Security provides your applications with comprehensive authentication, authorization, instance-based access control, channel security and human user detection capabilities.
+
 
* [http://sourceforge.net/projects/jguard jGuard] - jGuard is written in Java. Its goal is to provide a security framework based on JAAS (Java Authentication and Authorization Security). The framework is written for web and standalone applications, to easily provide solutions for access control problems.
 
* [http://sourceforge.net/projects/jguard jGuard] - jGuard is written in Java. Its goal is to provide a security framework based on JAAS (Java Authentication and Authorization Security). The framework is written for web and standalone applications, to easily provide solutions for access control problems.
 +
* [http://oaccframework.org/ OACC] - OACC is an application security framework for Java designed for fine grained (object level) access control. OACC uses the abstraction of a ''resource'' for the application objects being secured. This key abstraction enables OACC to provide a rich API that includes grant, revoke and query capabilities for storing and managing the application's security relationships.
  
 
== Encryption ==
 
== Encryption ==
Line 12: Line 13:
 
* [http://www.jasypt.org/ Jasypt] - Jasypt is a java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works.
 
* [http://www.jasypt.org/ Jasypt] - Jasypt is a java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works.
  
[[Category:OWASP Java Project]]
+
== Cross Site Scripting (XSS) ==
 +
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project] is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies to help Java web developers defend against Cross Site Scripting.
 +
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project OWASP Java HTML Sanitizer Project] is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.
 +
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP Java JSON Sanitizer] is a tool to convert JSON-like content to valid JSON! The OWASP JSON Sanitizer Project is a simple to use Java library that can be attached at either end of a data-pipeline
 +
 
 +
== Additional Java Security Libraries  ==
 +
 
 +
{| border="1" align="center" width="80%" cellspacing="1" cellpadding="1"
 +
|-
 +
! scope="col" | Name and link<br>
 +
! scope="col" | Updated<br>
 +
! scope="col" | AU<br>
 +
! scope="col" | AC<br>
 +
! scope="col" | CF<br>
 +
! scope="col" | CR<br>
 +
! scope="col" | IV<br>
 +
! scope="col" | OE<br>
 +
! scope="col" | SM<br>
 +
! scope="col" | XM<br>
 +
! scope="col" | XS<br>
 +
|-
 +
| [http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project AntiSami]<br>
 +
| align="center" | 2011<br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | &nbsp;Y<br>
 +
| align="center" | Y<br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
|-
 +
| [http://santuario.apache.org/ Apache Santuarrio]<br>
 +
| align="center" | 2011<br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | &nbsp;Y<br>
 +
| align="center" | <br>
 +
|-
 +
| [http://shiro.apache.org/ Apache Shiro]<br>
 +
| align="center" | 2011<br>
 +
| align="center" | Y<br>
 +
| align="center" | Y<br>
 +
| align="center" | &nbsp;?<br>
 +
| align="center" | Y<br>
 +
| align="center" | &nbsp;?<br>
 +
| align="center" | Y<br>
 +
| align="center" | Y<br>
 +
| align="center" | &nbsp;?<br>
 +
| align="center" | Y<br>
 +
|-
 +
| [http://www.bouncycastle.org/ Bouncy Castle]<br>
 +
| align="center" | 2011<br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | Y<br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
|-
 +
| [http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project CSRFGuard]<br>
 +
| align="center" | &nbsp;?<br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | Y<br>
 +
| align="center" | Y<br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
|-
 +
| [http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API ESAPI]<br>
 +
| align="center" | 2010<br>
 +
| align="center" | Y<br>
 +
| align="center" | Y<br>
 +
| align="center" | &nbsp;?<br>
 +
| align="center" | Y<br>
 +
| align="center" | Y<br>
 +
| align="center" | Y<br>
 +
| align="center" | &nbsp;?<br>
 +
| align="center" | <br>
 +
| align="center" | Y<br>
 +
|-
 +
| [http://www.jasypt.org/ Jasypt]<br>
 +
| align="center" | 2010<br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | Y<br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
|-
 +
| [http://sourceforge.net/projects/jguard/ iGuard]<br>
 +
| align="center" | 2011<br>
 +
| align="center" | Y<br>
 +
| align="center" | Y<br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
|-
 +
| [http://oaccframework.org/ OACC]<br>
 +
| align="center" | 2014<br>
 +
| align="center" | Y<br>
 +
| align="center" | Y<br>
 +
| align="center" | <br>
 +
| align="center" | Y<br>
 +
| align="center" | Y<br>
 +
| align="center" | <br>
 +
| align="center" | &nbsp;?<br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
|-
 +
| [http://www.sapia-oss.org/projects/vlad/ Vlad]<br>
 +
| align="center" | &nbsp;?<br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | Y<br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
| align="center" | <br>
 +
|}
 +
 
 +
<br>
 +
 
 +
== Security Features Key  ==
 +
 
 +
*AU Authentication
 +
*AC Authorization / Access Control
 +
*CF Anti CSRF
 +
*CR Cryptography
 +
*IV Input Validation
 +
*OE Output encoding
 +
*SM Session management
 +
*XM XML security
 +
*XS XSS protection
 +
 
 +
[[Category:OWASP_Java_Project]]

Latest revision as of 21:21, 23 November 2014

A list of third party (i.e. not part of Java SE or EE) security frameworks. This page contains a list of Java security libraries and frameworks and indicates which security features each library supports.

Enterprise

  • OWASP Enterprise Security API a new OWASP project to provide all essential security services under one roof.
  • HDIV A web application security framework that provides a number of functions.

Access Control (Authentication and Authorization)

  • jGuard - jGuard is written in Java. Its goal is to provide a security framework based on JAAS (Java Authentication and Authorization Security). The framework is written for web and standalone applications, to easily provide solutions for access control problems.
  • OACC - OACC is an application security framework for Java designed for fine grained (object level) access control. OACC uses the abstraction of a resource for the application objects being secured. This key abstraction enables OACC to provide a rich API that includes grant, revoke and query capabilities for storing and managing the application's security relationships.

Encryption

  • Bouncycastle - Lightweight Java cryptography APIs
  • Jasypt - Jasypt is a java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works.

Cross Site Scripting (XSS)

  • OWASP Java Encoder Project is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies to help Java web developers defend against Cross Site Scripting.
  • OWASP Java HTML Sanitizer Project is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.
  • OWASP Java JSON Sanitizer is a tool to convert JSON-like content to valid JSON! The OWASP JSON Sanitizer Project is a simple to use Java library that can be attached at either end of a data-pipeline

Additional Java Security Libraries

Name and link
Updated
AU
AC
CF
CR
IV
OE
SM
XM
XS
AntiSami
2011




 Y
Y



Apache Santuarrio
2011







 Y

Apache Shiro
2011
Y
Y
 ?
Y
 ?
Y
Y
 ?
Y
Bouncy Castle
2011



Y





CSRFGuard
 ?


Y
Y





ESAPI
2010
Y
Y
 ?
Y
Y
Y
 ?

Y
Jasypt
2010



Y





iGuard
2011
Y
Y







OACC
2014
Y
Y

Y
Y

 ?


Vlad
 ?




Y





Security Features Key

  • AU Authentication
  • AC Authorization / Access Control
  • CF Anti CSRF
  • CR Cryptography
  • IV Input Validation
  • OE Output encoding
  • SM Session management
  • XM XML security
  • XS XSS protection