This article compares three popular Java security frameworks—Spring Security, Apache Shiro, and Sa‑Token—by examining their architecture, advantages, drawbacks, typical use cases, and providing a detailed side‑by‑side comparison to help developers make an informed framework selection.
This article introduces the core concepts and roles of OAuth 2.0, explains its four grant types, and provides a step‑by‑step Spring Boot implementation with complete configuration classes, dependency setup, and testing procedures for both authorization and resource servers.
This article explains Apache Shiro’s fundamental components—Subject, SecurityManager, Realm, Session, authentication, authorization, and cryptography—then walks through a complete configuration example, a custom Realm, JWT integration, and a Spring Boot microservice scenario to illustrate secure, stateless authentication and fine‑grained permission control.
This guide explains how to protect a Spring Boot release package from source leakage by comparing code obfuscation and encryption, detailing the configuration of the classfinal‑maven‑plugin, launch commands with and without passwords, and binding the encrypted jar to a specific machine.
This guide explains how to protect a SpringBoot-based e‑commerce project from source leakage by using code obfuscation or the ClassFinal Maven plugin, detailing configuration, startup options, decompilation results, and machine‑binding to ensure the packaged jar runs only on authorized servers.
This guide explains why and how to encrypt sensitive information in Spring Boot configuration files using Spring Cloud's built‑in encryption, Jasypt, command‑line parameters, and demonstrates the underlying implementation classes for secure application deployment.
JDK 20, released in March 2023, introduces a suite of security enhancements—including new exception constructors, expanded algorithm service attributes, stricter defaults for DTLS 1.0 and ECDH suites, performance‑boosting intrinsics for ChaCha20, Poly1305, MD5 and ECC, as well as new Java Flight Recorder events for tracking security properties—providing developers with stronger defaults and better observability.
This guide walks through common MyBatis SQL injection patterns—like fuzzy queries, IN clauses, and ORDER BY misuse—showing how to locate vulnerable XML, trace the call chain, and confirm exploitation with a crafted request, providing practical steps for Java security auditors.
Fastjson versions up to 1.2.80 contain a deserialization vulnerability that can bypass autoType restrictions, posing significant remote attack risk; users are advised to upgrade to the latest 1.2.83 release, enable safeMode or use the noneautotype builds, and consider migrating to Fastjson 2.0 for enhanced security.
Fastjson versions up to 1.2.80 contain a deserialization flaw that can bypass the default autoType restriction, but the issue is mitigated by safeMode; the Fastjson team has released patches, recommending upgrades to 1.2.83, enabling safeMode, or migrating to Fastjson v2 for enhanced security.
Google Open Source Insights researchers examined every Maven Central package version, revealing that over 8% of Java packages are affected by Log4j, most through transitive dependencies, and highlighting the complex, multi‑step remediation required across deep dependency trees.
Log4j2 2.17.0 fixes the critical CVE‑2021‑45105 vulnerability affecting versions up to 2.16.0, and the article explains the flaw, provides Maven upgrade instructions, and offers temporary mitigation steps for environments that cannot upgrade immediately.
The article explains the severe Apache Log4j 2 remote code execution flaw affecting versions up to 2.14.1, outlines its impact on Java applications, and provides both permanent upgrade steps and urgent workarounds to protect systems from exploitation.
This article breaks down the widely publicized Log4j2 (Log4Shell) flaw, explaining the underlying JNDI and LDAP lookup mechanisms, how malicious payloads are executed through log messages, the massive impact across Java ecosystems, and the steps needed to remediate the issue.
Google delays its office‑return plan and grants US staff a $1,600 bonus, while a severe Apache Log4j2 remote‑code‑execution flaw affecting many Java projects is disclosed with mitigation steps, and IntelliJ IDEA introduces built‑in audio‑video chat for collaborative coding.
This tutorial walks through building a Spring Boot application with Apache Shiro, covering core concepts, database schema design, Maven dependencies, configuration files, entity and DAO layers, service implementations, Shiro realm and security configuration, login handling, role and permission testing, and future extension ideas.
This article compares Apache Shiro and Spring Security, outlining their core concepts, execution flows, key features, and practical guidance to help developers choose the most suitable Java security framework based on project requirements and team expertise.
This extensive guide explains Apache Shiro's core concepts, demonstrates how to set up simple authentication, configure various Realm types, apply multi‑realm authentication strategies, encrypt passwords with hashing and salting, implement custom authorization, integrate Shiro with Spring MVC, explore different login methods, use JSP tags for UI control, and enable caching with Ehcache, providing complete code examples throughout.
This article introduces Apache Shiro, a lightweight Java security framework, covering its authentication, authorization, cryptography, session management, core components, module functions, and overall architecture to help developers grasp its practical use in permission management.
Apache Shiro 1.6.0 has been released, fixing a high‑risk authentication bypass vulnerability (CVE‑2020‑13933), updating several components, and providing Maven coordinates, so developers should upgrade immediately to secure their Java applications.
This article dissects the Apache Commons FileUpload DiskFileItem deserialization flaw, explains how readObject can be abused to write arbitrary files or directories depending on FileUpload and JDK versions, demonstrates payload construction with ysoserial, provides full Java code analysis, and outlines mitigation strategies.
This article walks through integrating Apache Shiro into a Spring Boot project to handle authentication, authorization, session management, and caching, including custom realms, Redis-backed sessions, and cache managers, while providing detailed code examples and configuration guidance.
This article explains how bytecode‑level fuzzing techniques—Classfuzz for syntax mutation and Classming for semantic mutation—are used to generate executable Java class variants, run differential tests across multiple JVM implementations, and systematically expose JVM defects and security vulnerabilities.
This article introduces Apache Shiro as a powerful Java security framework, explains its core components such as Subject, SecurityManager, Authenticator, Authorizer, Realm, SessionManager, CacheManager and Cryptography, and provides step‑by‑step integration instructions with Maven, XML configuration, custom realm code, controller logic and JSP tag usage.
This article introduces Apache Shiro, a lightweight Java security framework, and explains its three core concepts—Subject, SecurityManager, and Realms—while detailing the full system architecture including authenticators, authorizers, session management, caching, and cryptography components.
This article provides a step‑by‑step tutorial on using Apache Shiro for authentication, authorization, session management and encryption in a Java web project, covering Maven dependencies, custom Realm implementation, Spring XML configuration, servlet filter setup, controller logic, JSP login page, demo screenshots and common pitfalls.
