Top 23 Java Security Projects
-
To demonstrate the key differences between OIDC and SAML, I have created a small repo that allows to deploy Keycloak on an EC2 instance and then configure the SAML and OIDC clients to use with AWS. For those unfamiliar with Keycloak, it is an open source Identity and Access Management tool sponsored by RedHat and widely used by many of our customers and ourselves as an identity provider. Among other features, Keycloak supports SAML and OIDC protocols for identity management and provides user federation via LDAP that allows to use it with an existing user base from an Active Directory. After deployment of Keycloak and configuring the SAML and OIDC clients, we can use Keycloak to login into AWS. The SAML login can be performed by going to https://auth.\${TF\_VAR\_root\_dn}/realms/awsfed/protocol/saml/clients/amazon-aws where ${TF_VAR_root_dn} is the subdomain you need to create before the deployment. After entering the credentials for the user testuser that is created by the deployment scripts, we get redirected to the AWS console for the AWS account to which Keycloak has been deployed. If we would have assigned multiple roles to the same Keycloak group (or multiple groups to testuser), a page like the one below would appear (which would look familiar to everyone who already used SAML federation with AWS). If you like to experiment and have deployed everything from the repo, you can go to the network tab of the development tools of the browser, find the saml document there and copy its contents.
-
Project mention: Saving sessions for bug bounty, how important it is? | reddit.com/r/bugbounty | 2022-08-11
I am using ZAP instead of Burp Community because of an option to save session and a few other things, but unfortunately there is a bug or just bad functionality inside ZAP to freeze and takes too long to load existing sessions. There is even an open issue on GitHub from 2015 and still there is no fix for that. What is your opinion and experience with saving sessions for bug bounty, is it important for bug bounty hunting?
-
SonarLint
Clean code begins in your IDE with SonarLint. Up your coding game and discover issues early. SonarLint is a free plugin that helps you find & fix bugs and security issues from the moment you start writing code. Install from your favorite IDE marketplace today.
-
Project mention: Null ECDSA Signatures - Proof of concept for bypassing JWT signature checks using CVE-2022-21449 | reddit.com/r/netsec | 2022-04-21
Note that this PoC uses DER signature which is accepted by the jjwt library as fallback (see https://github.com/jwtk/jjwt/blob/master/impl/src/main/java/io/jsonwebtoken/impl/crypto/EllipticCurveSignatureValidator.java ), but that is not a standard. Standard is JOSE format.
-
Yes Sir! But if you really want to secure your files better use Cryptomator.
-
Spring Security 5.7
-
Project mention: Newb Question: how do I keep a user "logged in" on a React site using RESTful API? | reddit.com/r/node | 2022-08-14
Checkout these reactjs authentication examples implementing different strategies here, using SuperTokens in all of them.
-
I don't quite understand the window-logic but for logs there are things like Logstash, Loki, Graylog and probably many others that are meant to handle logs.
-
Scout APM
Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.
-
DependencyCheck
OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
We use OWASP dependency-check and pass reports to SonarQube.
-
Shiro 1.8.0
-
-
MifareClassicTool
An Android NFC app for reading, writing, analyzing, etc. MIFARE Classic RFID tags.
Project mention: [request] A tweak to overwrite 4-but udid of a mifare card | reddit.com/r/jailbreak | 2022-08-08Following this vulnerability: https://timdows.com/projects/using-a-mobile-phone-to-clone-a-mifare-card/ You can overwrite the UDID on a 4-but mifare card Problem is, the only software it links is for android (https://github.com/ikarus23/MifareClassicTool)
-
Project mention: Keycloak: Open-Source Identity and Access Management | news.ycombinator.com | 2022-05-04
-
Project mention: How to store sensitive information passwords and etc | reddit.com/r/javahelp | 2022-03-05
Check out Jasypt Spring Boot Starter. https://github.com/ulisesbocchio/jasypt-spring-boot
-
pac4j
Security engine for Java (authentication, authorization, multi frameworks): OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...
-
find-sec-bugs
The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)
-
-
Project mention: Bouncy Castle VS pgpainless - a user suggested alternative | libhunt.com/r/bc-java | 2022-08-12
-
Project mention: P2P E2EE global filesystem and application protocol | news.ycombinator.com | 2022-08-16
-
itext7
iText 7 for Java represents the next level of SDKs for developers that want to take advantage of the benefits PDF can bring. Equipped with a better document engine, high and low-level programming capabilities and the ability to create, edit and enhance PDF documents, iText 7 can be a boon to nearly every workflow.
iText 7
-
dependency-track
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
It's missing DependencyTrack which has been adopted by OWASP.
-
Project mention: BinAbsInspector: BinAbsInspector: Vulnerability Scanner for Binaries | reddit.com/r/CKsTechNews | 2022-04-20
-
nzyme
Nzyme is a free and open next-generation WiFi defense system. Go to www.nzyme.org for more information.
Project mention: Nzyme – open-source next-generation WiFi defense system | news.ycombinator.com | 2021-10-04 -
Install Orbot to use Tor as proxy, optionally replaced or combined with WireGuard.
Java Security related posts
- Can MEGA be trusted?
- ⟳ 1 apps added, 4 updated at apt.izzysoft.de
- Newb Question: how do I keep a user "logged in" on a React site using RESTful API?
- I am building a REST API using nodejs for my mobile application So for authentication Can I generate a jwt token to each user when they logged in and use that to access another API routes? Is that a safe approach?
- Is there a Free, Open Source App alternative for 'DO Multiple Accounts - Infinite Parallel Clone' that respects Privacy + Security?
- Apple asked for a cut of Facebook’s ad sales years before it stifled Facebook’s ad sales
- Fortifying federated access to AWS via OIDC
Index
What are some of the best open-source Security projects in Java? This list will help you:
| Project | Stars | |
|---|---|---|
| 1 | Keycloak | 13,121 |
| 2 | Zed | 9,741 |
| 3 | jjwt | 8,489 |
| 4 | Cryptomator | 7,745 |
| 5 | Spring Security | 7,017 |
| 6 | SuperTokens Community | 6,762 |
| 7 | graylog | 6,207 |
| 8 | DependencyCheck | 4,310 |
| 9 | Apache Shiro | 3,875 |
| 10 | hawk | 3,870 |
| 11 | MifareClassicTool | 3,069 |
| 12 | Keywhiz | 2,514 |
| 13 | jasypt-spring-boot | 2,213 |
| 14 | pac4j | 2,159 |
| 15 | find-sec-bugs | 1,929 |
| 16 | jCasbin | 1,779 |
| 17 | Bouncy Castle | 1,749 |
| 18 | Peergos | 1,495 |
| 19 | itext7 | 1,305 |
| 20 | dependency-track | 1,268 |
| 21 | BinAbsInspector | 1,164 |
| 22 | nzyme | 1,095 |
| 23 | orbot | 1,061 |
Are you hiring? Post a new remote job listing for free.
