• Apache Shiro - A powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
• JJWT - Java JWT: JSON Web Token for Java and Android.
• OWASP ESAPI Java - Enterprise Security API is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
• PAC4J - Security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.
• Spring Security - A powerful and highly customizable authentication and access-control framework.
• Spring Security Oauth - Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.

• hawkeye - Multi-purpose security/vulnerability/risk scanning tool supporting Ruby, Node.js, Python, PHP and Java.
• GuardRails - A GitHub App that gives you instant security feedback in your Pull Requests.

• Spotbugs - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
• Find Security Bugs - SpotBugs plugin for security audits of Java web applications and Android applications.
• Detect Secrets - An enterprise friendly way of detecting and preventing secrets in code.
• Gitrob - Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github.
• Sonarqube - SonarQube provides the capability to show the health of an application and highlight newly introduced issues.

• Code Pulse - Code Pulse is a real-time code coverage tool for penetration testing activities.
• OWASP ZAP - Helps automatically find security vulnerabilities in your web applications.

• OWASP Dependency-Check - Detects publicly disclosed vulnerabilities in application dependencies.
• Snyk - CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies.
• Snyk Vulnerability DB - Commercial but free listing of known vulnerabilities in libraries.
• Common Vulnerabilities and Exposures - Vulnerabilities that were assigned a CVE. Covers the language and packages.
• National Vulnerability Database - Java known vulnerabilities in the National Vulnerability Database.

• Bouncy Castle - Java implementation of cryptographic algorithms.
• Conscrypt - Java Security Provider that implements parts of the Java Cryptography Extension and Java Secure Socket Extension.
• Cryptomator - Multi-platform transparent client-side encryption of your files in the cloud.
• Keyczar - Easy-to-use crypto toolkit by Google.
• Keywhiz - System for distributing and managing secrets.
• Tink - Multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
• ACME4J - Java ACME client for issuing X.509 certificates using Let's Encrypt or another ACME based CA.

• BodgeIt Store - A vulnerable web application aimed at people who are new to pen testing.
• OWASP Benchmark - A Java test suite designed to verify the speed and accuracy of vulnerability detection tools.
• Security Shepherd - Web and mobile application security training platform.
• WebGoat - A deliberately insecure Java Web Application.

• Java Platform, Standard Edition Security Developer’s Guide - This guide covers major Java Standard Edition security components: Java Cryptography Architecture (JCA), Java Authentication and Authorization Service (JAAS) and Java Secure Socket Extensions (JSSE)
• Application Security Verification Standard - (PDF) The standard is a list of application security requirements that can be used by developers.
• Spring Security CSRF - A Guide to CSRF Protection in Spring Security.
• Secure Coding Guidelines - Secure Coding Guidelines for Java SE
• Securing a Web Application - This guide walks you through the process of creating a simple web application with resources that are protected by Spring Security.
• Spring Security Guides - Step by step guides on how to use Spring Security.
• Prevent cross-site scripting (XSS) attacks - This article explains how XSS attacks work and suggests a methodology to block XSS attacks.

• JSR 115: Java Authorization Contract for Containers
• JSR 196: Java Authentication Service Provider Interface for Containers
• JSR 375: Java EE Security API

• Java Security Reporting

Found an awesome project, package, article, or another type of resources related to Java Security? Open a pull request! Just follow the guidelines. Thank you!

say hi on Twitter