Business-ready architecture. Work with an open source leader.
Try Payara Enterprise
Luxury German Vehicle Manufacturer Migrates from GlassFish to Payara Server
Download BMW Case Study PDF
Security is always a concern when implementing applications that will run in production environments. The Payara Platform Enterprise is a fully-supported open source software for enterprises offering a strong tool set of security features so you won’t have to implement your own security measures from scratch, enabling reliable and secure deployments of Jakarta EE and MicroProfile applications on premises, in the cloud, or hybrid environments.
Making the platform secure and providing useful built-in security tools for application developers and production administrators is an essential part of the platform development process and is accomplished with monthly releases, security fixes, critical security patches, and a 10-year software lifecycle. The Payara Platform also provides tools to secure and restrict access to a production system, encrypt communication, and audit security events and configuration changes.
Payara Platform DocumentationFeatures Catalog
This guide explains and demonstrates the security auditing best practises and features you can find in Payara Server. Security is always a concern you must have when implementing applications that will run in production environments. Both the JVM and Payara Server have a strong tool set of security implementations for most use cases in the industry.
Download Guide
This User Guide will discuss the different aspects of securing the JAX-RS endpoints of your application using standards and common practices like OAuth2, OpenID Connect, JWT Tokens, and MicroProfile JWT authentication in combination with the Payara Platform.
In this datasheet learn about the tools provided by the Payara Platform to secure and restrict access to a production system, encrypt communication, and audit security events and configuration changes.
This user guide written in collaboration with Snyk, takes you through 7 key pointers for developing applications with a minimal security risk. It will help you take responsibility for the security of your software, to best avoid becoming one of the 20,000 websites every day that get hacked on average.
More Guides
Payara Services Limited is very active at identifying and fixing possible security vulnerabilities included into Payara Server and Payara Micro that are either inherited from GlassFish upstream or introduced by new features developed.
We strongly encourage users to report such problems in the following ways:
You can also direct inquiries about reported CVE issues detected in similar Java platforms or application servers (like Apache Tomcat, JBoss WildFly, etc.) and let us research whether or not Payara Server is affected by such issues.
Community Security Fixes SummaryEnterprise Security Fixes Summary
The Digital Operational Resilience Act (DORA) is changing the cybersecurity and regulatory compliance landscape for financial institutions in the EU. In effect, DORA is now binding, with regulators shifting from guidance to active enforcement. For developers building or maintaining financial applications, understanding DORA’s requirements and how to meet them is essential. In this post, we’ll break down what DORA is, why it's important and what it means for developers. You'll also get a glimpse on how to meet the regulatory requirements with your enterprise Java applications.
PCI DSS cybersecurity requirements are relevant for all sorts of organizations, whether you’re a financial institution or a business with customers and transactions. And, while there are already many laws, regulations, and standards designed to protect personal data, this standard is particularly focused on card transactions. In this blog post, we explain the PCI-DSS, its standards, requirements, levels, and certification.
Much like corporate offices, applications are critical assets at the core of modern business operations. As they hold valuable information by handling and processing data that support essential workflows, they are prime targets for hackers. As such, just as physical office spaces require security systems to protect valuable information and resources, applications need robust defenses to ensure data integrity, resilience and regulatory compliance. A secure environment relies on two complementary strategies: tools that identify vulnerabilities and proactive defenses that prevent cyber intrusions. Together, these approaches create a secure, robust framework that safeguards both the business and its users. Let’s explore how these essential strategies work and how they can deliver a synergetic effect in the context of application security.
Companies sometimes contemplate migrating their enterprise Java applications to a different runtime to optimize costs, benefit from greater technical support, achieve better performance, scalability or new functionalities. However, when it comes to taking active steps towards implementing an alternative application server, many decide not to proceed. A recurring concern for multiple companies is whether such migrations can be done securely, without compromising data integrity or compliance with stringent regulations. So, are application server migrations secure? How can teams ensure the right robustness and resilience measures are in place? Let’s dig in the world of runtime cybersecurity and migration planning.
One of the largest and longest-running Java conference, Devnexus 2025, is just around the corner and our Payarans are ready to bring cutting-edge insights to the event. If you’re a Java developer eager to explore the latest technology advancements and industry trends, this is an event you don’t want to miss!
More Security Articles
Java Champion Ondrej Mihalyi demonstrates with a simple game application, some MicroProfile capabilities in the Payara Platform which powers both Payara Server and Payara Micro. Demonstrating how to:
How to Create a Secure JSF/JPA Web App on Payara Server 5 – Learn how to create a secure web application using multiple Java EE/Jakarta EE APIs and connect it to a MySQL 8 database in this comprehensive tutorial.
In this video, Java Champion Adam Bien explores Authentication and authorization in JAX-RS with JSON Web Tokens (JWT). Tokens were generated with http://jwtenizr.sh The service was deployed with http://wad.sh to http://payara.fish.
The goal of MicroProfile Metrics is to expose monitoring data from the implementation in a unified way. It also defines a Java API so that the developer can define and supply his own values. Prometheus is a popular Open-Source product for gathering metrics. Grafana is a multi-platform open source solution for running data analytics, pulling up metrics, and monitoring apps.
