java
Safeguard articles tagged "java" — guides, analysis, and best practices for software supply chain and application security.
70 articles
Using jlink to Build Minimal, Lower-Attack-Surface Java Docker Images
jlink has shipped with every JDK since Java 9 in 2017, yet most Spring Boot images still ship a full 300MB+ JDK. Here's how to fix that.
Installing and Verifying Java on macOS Securely
A SHA-256 checksum only proves a JDK download wasn't corrupted in transit — it takes a GPG signature check to prove it actually came from the vendor you trust.
Defensive Java: coding patterns that stop NullPointerExceptions from becoming outages
NPE has been Java's most common runtime exception since JDK 1.0 in 1996 — Optional, JSpecify annotations, and static analysis can turn most of them into compile-time errors.
Java SecurityManager is gone: a practical migration guide
JEP 411 deprecated the Security Manager in JDK 17; JEP 486 disabled it outright in JDK 24, released March 18, 2025. Here's how to migrate before it's removed for good.
Secure URL Encoding and Decoding in Java
Java's URLEncoder turns spaces into + instead of %20 — a form-encoding quirk that, mixed with double-decoding, still causes path-traversal bugs like CVE-2025-41242 in 2025.
Robust input validation in Spring Boot: Bean Validation and its bypasses
Bean Validation (JSR-380) looks like a solved problem in Spring Boot, but nested DTOs, list elements, and unannotated service methods routinely skip validation silently.
Thymeleaf SSTI risk patterns: how a tab character bypassed a Java template sandbox
CVE-2026-40478 shows how a single tab character bypassed Thymeleaf's expression sandbox, turning misused templates into remote code execution.
Java Secrets Management: Getting Credentials Out of Your Code
Hardcoded credentials are among the most common findings in Java codebases. Here's how to externalize, rotate, and protect secrets properly in 2026.
Text4Shell (CVE-2022-42889) Explained: RCE in Apache Commons Text Interpolation
CVE-2022-42889, Text4Shell, let attackers run code through Apache Commons Text's string interpolation when apps passed untrusted input to StringSubstitutor. Here is the flaw and why it was narrower than feared.
JVM Supply Chain Security: Securing the Path from Source to Artifact
Your JVM supply chain spans repositories, build tools, plugins, and artifacts. Here's how to secure each link — from dependency confusion to artifact signing.
Spring Framework Security Guide (2026)
Spring Framework is the backbone of enterprise Java — and the source of Spring4Shell plus a steady stream of path-traversal and SSRF CVEs. Here is how to run it safely in 2026.
Java SQL Injection Prevention: Parameterized Queries and Beyond
SQL injection is decades old and still breaching Java apps. Here's how to prevent it with prepared statements, JPA binding, and safe dynamic queries.