Security in the Payara Platform

Security is always a concern when implementing applications that will run in production environments. The Payara Platform Enterprise is a fully-supported open source software for enterprises offering a strong tool set of security features so you won’t have to implement your own security measures from scratch,  enabling reliable and secure deployments of Jakarta EE and MicroProfile applications on premises, in the cloud, or hybrid environments.

Making the platform secure and providing useful built-in security tools for application developers and production administrators is an essential part of the platform development process and is accomplished with monthly releases, security fixes, critical security patches, and a 10-year software lifecycle. The Payara Platform also provides tools to secure and restrict access to a production system, encrypt communication, and audit security events and configuration changes.

Security Guides

Security Auditing in Payara Server

Security Auditing in Payara Server

This guide explains and demonstrates the security auditing best practises and features you can find in Payara Server. Security is always a concern you must have when implementing applications that will run in production environments. Both the JVM and Payara Server have a strong tool set of security implementations for most use cases in the industry.

Download Guide

Securing Your Applications Running on Payara Platform (JAX-RS Endpoints)

Securing Your Applications Running on Payara Platform (JAX-RS Endpoints)

This User Guide will discuss the different aspects of securing the JAX-RS endpoints of your application using standards and common practices like OAuth2, OpenID Connect, JWT Tokens, and MicroProfile JWT authentication in combination with the Payara Platform.

Download Guide

Security Tools in Payara Platform

Security Tools in the Payara Platform datasheet

In this datasheet learn about the tools provided by the Payara Platform to secure and restrict access to a production system, encrypt communication, and audit security events and configuration changes.

Download Guide

How to Develop Applications with Minimal Security Risks

How to Develop Applications with Minimal Security Risks image

This user guide written in collaboration with Snyk, takes you through 7 key pointers for developing applications with a minimal security risk. It will help you take responsibility for the security of your software, to best avoid becoming one of the 20,000 websites every day that get hacked on average.

Download Guide

More Guides

How to Raise Security Issues

Payara Services Limited is very active at identifying and fixing possible security vulnerabilities included into Payara Server and Payara Micro that are either inherited from GlassFish upstream or introduced by new features developed.

We strongly encourage users to report such problems in the following ways:

  1. If you have a support contract, create a ticket describing the security vulnerabilities detected as you would do for any other bug reports.
  2. If you do not have a support contract, please send an email with the described vulnerabilities detected to security@payara.fishPlease don’t use this address to report bugs or issues unrelated to security vulnerabilities as they will be ignored, instead use the GitHub repository issues page for raising a new issue detailing the problem at hand.

You can also direct inquiries about reported CVE issues detected in similar Java platforms or application servers (like Apache Tomcat, JBoss WildFly, etc.) and let us research whether or not Payara Server is affected by such issues.

Community Security Fixes SummaryEnterprise Security Fixes Summary

Security Articles

  • Eclipse Foundation’s New Open Regulatory Compliance Working Group Launch 01 Oct 2024

    The Eclipse Foundation is launching a new Open Regulatory Compliance Working Group on 24 September 2024. Payara Services is delighted to be a Participant member and the organization is keen to ensure as many development and security teams, small to medium-sized enterprises, and corporations as possible are aware of its work. And, of course, the more organizations that join the Open Regulatory Compliance Group, the stronger our impact can be. When we work together, we can better represent open-source software-related industries while the EU develops standards under the Cyber Resilience Act 2024 and subsequent data security compliance legislation. In this blog post, we look at the history and development of the Eclipse Foundation as well as its new focus on cybersecurity compliance regulations through the new working group since July 2024.

  • Join Live Webinar - Simplifying Security for Your Jakarta EE Applications with Apache Shiro 26 Aug 2024

    Join us for an insightful webinar with Lenny Primak & Luqman Saeed, where we'll demystify security for your Jakarta EE applications using Apache Shiro. Simplifying Security for Your Jakarta EE Applications with Apache Shiro Wednesday, the the 4th of September, 4pm BST Register: https://www.crowdcast.io/c/security-with-jakarta-and-apache-shiro

  • Drive Application Security By Leaving Legacy Solutions 24 Jul 2024

    In an increasingly interconnected and digital world, it is no surprise that there has been a steady rise in the number and cost of security breaches over the last few years. To maximize the robustness and resilience of your applications and prevent any vulnerability from being exploited, it's important for companies to keep everything around their software up to date. When it comes to application servers, it means using a modern, fully supported solution or upgrading to one quickly. With Java EE-based server runtime environments being outdated legacy software and lacking support, it is essential to migrate applications relying on these to favor an alternative, such as Jakarta EE, to safeguard your applications and data.

  • Securing Jakarta EE Applications with OIDC and Keycloak 12 Jun 2024

    Introduction Security is a paramount concern for modern web applications. Protecting sensitive data and user access necessitates a standardized approach. The OpenID Connect (OIDC) protocol, in conjunction with Identity Providers (IdPs) like Keycloak, and the Jakarta Security API integrated into Jakarta EE, offer a reliable solution. Together, they help streamline authentication and authorization in your Jakarta EE applications.

  • Secure Your Java Applications with Passay: The Essential Password Utility Library 29 Jan 2024

    In the digital age, where data breaches are common and privacy is paramount, ensuring users use strong passwords is the first step to securing applications from never-ending threats. Passay, a Java password generation and policy management library helps enhance the security layer of any Java application. Let's dive into the core components of Passay in this blog post to see how you can employ it in your own applications. 

More Security Articles

MicroProfile in Practice – Expose and visualise metrics, Configure your app & Secure REST endpoints.

Java Champion Ondrej Mihalyi demonstrates with a simple game application, some MicroProfile capabilities in the Payara Platform which powers both Payara Server and Payara Micro. Demonstrating how to:

  • Expose operational and business logic metrics and how to visualise them.
  • Configure your applications.
  • Secure REST endpoints in your applications using JSON web token mechanism.

How to Create a Secure JSF JPA Application

How to Create a Secure JSF/JPA Web App on Payara Server 5 – Learn how to create a secure web application using multiple Java EE/Jakarta EE APIs and connect it to a MySQL 8 database in this comprehensive tutorial.

Authentication and Authorization with Payara and MicroProfile JWT

In this video, Java Champion Adam Bien explores Authentication and authorization in JAX-RS with JSON Web Tokens (JWT). Tokens were generated with http://jwtenizr.sh The service was deployed with http://wad.sh to http://payara.fish.

MicroProfile Metrics with Prometheus and Grafana

The goal of MicroProfile Metrics is to expose monitoring data from the implementation in a unified way. It also defines a Java API so that the developer can define and supply his own values. Prometheus is a popular Open-Source product for gathering metrics. Grafana is a multi-platform open source solution for running data analytics, pulling up metrics, and monitoring apps.

Back to top