Java Security Best Practices

Most Java security bugs are not exotic. They are a missing input check, a string-concatenated SQL query, a password stored as a plain hash, or a secret committed to Git. This chapter walks through the defenses that stop the majority of real-world attacks: validate everything that crosses a trust boundary, never build queries by concatenation, hash passwords with a slow key-derivation function, keep secrets out of code, and run with the least privilege the task needs.

Validate input on an allowlist

The first rule is to treat all external input as hostile until proven otherwise: request parameters, file names, headers, message payloads, anything that crosses a trust boundary. Prefer an allowlist (accept only known-good shapes) over a denylist (try to block bad ones) — a denylist always misses a case.

// Allowlist: only lowercase letters, digits and underscore, 3–16 chars.
static boolean isValidUsername(String s) {
    return s != null && s.matches("[a-z0-9_]{3,16}");
}

// Constrain numbers to a sane range instead of trusting the caller.
int page = Math.clamp(requested, 1, 1000);

Validate at the edge of the system and again at any deeper boundary you do not control. Reject early, fail closed, and return a generic error so you do not leak the validation rule to an attacker probing your endpoint.

Use prepared statements, never string concatenation

SQL injection is still one of the most common and most damaging web vulnerabilities, and in Java it is trivial to prevent. Build queries with bind parameters through PreparedStatement; the driver sends the query template and the values separately, so user data can never be parsed as SQL.

// NEVER do this — user input becomes part of the query text.
String bad = "SELECT * FROM users WHERE name = '" + name + "'";

// Do this — the value is bound, not concatenated.
String sql = "SELECT id FROM users WHERE name = ?";
try (PreparedStatement ps = conn.prepareStatement(sql)) {
    ps.setString(1, name);
    try (ResultSet rs = ps.executeQuery()) {
        while (rs.next()) process(rs.getLong("id"));
    }
}

The same idea applies beyond SQL: use parameterized APIs for LDAP, OS commands (ProcessBuilder with an argument list, not a shell string), and any template that mixes code with data.

Hash passwords with a slow KDF

Passwords must never be stored in plain text or behind a fast hash like a single round of SHA-256 — modern GPUs try billions of those per second. Use a deliberately slow, salted key-derivation function. The JDK ships PBKDF2; Argon2 and bcrypt are excellent third-party options.

import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import java.security.SecureRandom;

byte[] salt = new byte[16];
SecureRandom.getInstanceStrong().nextBytes(salt);        // unique per user

var spec = new PBEKeySpec(password, salt, 600_000, 256);  // iterations, key bits
var skf  = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
byte[] hash = skf.generateSecret(spec).getEncoded();
spec.clearPassword();                                     // wipe the secret

Approach	Verdict
Plain text / reversible	Never
MD5, SHA-1, single SHA-256	Far too fast — broken for passwords
PBKDF2 / bcrypt / Argon2 with a per-user salt	Correct
Same salt for every user	Defeats the salt's purpose

Always compare hashes with a constant-time check (MessageDigest.isEqual) so response timing does not reveal how much of a guess was right.

Keep secrets out of code

API keys, database passwords, and signing keys do not belong in source files — once committed they live in Git history forever. Read them from the environment or a secrets manager at runtime, and keep credentials out of logs and exception messages.

String dbPassword = System.getenv("DB_PASSWORD");
if (dbPassword == null || dbPassword.isBlank()) {
    throw new IllegalStateException("DB_PASSWORD is not configured");
}
// Hold short-lived secrets in char[]/byte[] and wipe them, not String,
// because String is immutable and lingers in the heap until GC.

Use SecureRandom (not java.util.Random) for anything security-sensitive — tokens, salts, nonces, session IDs. Random is predictable and seedable, which makes its output guessable.

Apply least privilege and safe defaults

Give every component only the access it needs and nothing more: a read-only database user for read paths, a service account scoped to one bucket, file permissions that exclude group and world. Validate TLS certificates (never disable hostname verification "to make it work"), set timeouts on every network call, and cap the size of anything you parse to avoid denial-of-service through oversized input or deserialization.

// Never deserialize untrusted bytes with Java's native serialization.
// Prefer a data format you can validate (JSON/Protobuf) and bound its size.
HttpClient client = HttpClient.newBuilder()
    .connectTimeout(Duration.ofSeconds(5))   // fail fast, don't hang
    .build();

Keep dependencies patched — most breaches exploit a known CVE in an old library, so run a scanner (OWASP Dependency-Check, mvn versions:display-dependency-updates) in CI.

The program below puts the core ideas together: allowlist validation, salted password stretching, constant-time verification, and proof that two users with the same password get different hashes.

java— editable, runs on the server

import java.security.MessageDigest;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.HexFormat;

public class Main {

// A tiny "user store" record. Never store the raw password.
    record Account(String user, byte[] salt, byte[] hash, int iterations) {}

// Stretch a password with a salt over many SHA-256 rounds (a teaching
    // stand-in for PBKDF2; the production API is shown in the prose).
    static byte[] stretch(char[] password, byte[] salt, int iterations) throws Exception {
        MessageDigest md = MessageDigest.getInstance("SHA-256");
        md.update(salt);
        for (char c : password) md.update((byte) c);
        byte[] digest = md.digest();
        for (int i = 1; i < iterations; i++) {
            md.reset();
            md.update(salt);
            digest = md.digest(digest);
        }
        return digest;
    }

static Account register(String user, char[] password) throws Exception {
        byte[] salt = new byte[16];
        SecureRandom.getInstanceStrong().nextBytes(salt);
        int iterations = 120_000;
        byte[] hash = stretch(password, salt, iterations);
        // Wipe the secret from memory once we are done with it.
        java.util.Arrays.fill(password, '\0');
        return new Account(user, salt, hash, iterations);
    }

// Compare digests in constant time so an attacker cannot learn the
    // correct prefix from response timing.
    static boolean verify(Account acc, char[] attempt) throws Exception {
        byte[] candidate = stretch(attempt, acc.salt(), acc.iterations());
        java.util.Arrays.fill(attempt, '\0');
        return MessageDigest.isEqual(candidate, acc.hash());
    }

// Allowlist validation: reject anything that is not a known-good shape.
    static boolean isValidUsername(String s) {
        return s != null && s.matches("[a-z0-9_]{3,16}");
    }

public static void main(String[] args) throws Exception {
        System.out.println("== Input validation (allowlist) ==");
        for (String candidate : new String[]{"alice_99", "Robert'); DROP TABLE", "ab"}) {
            System.out.println("  " + candidate + " -> " + isValidUsername(candidate));
        }

System.out.println("\n== Password hashing ==");
        Account acc = register("alice_99", "Sup3r-Secret!".toCharArray());
        System.out.println("  salt (hex)   : " + HexFormat.of().formatHex(acc.salt()).substring(0, 16) + "...");
        System.out.println("  iterations   : " + acc.iterations());
        System.out.println("  hash length  : " + acc.hash().length + " bytes");

System.out.println("\n== Login attempts ==");
        System.out.println("  correct pw   : " + verify(acc, "Sup3r-Secret!".toCharArray()));
        System.out.println("  wrong pw     : " + verify(acc, "wrong-guess".toCharArray()));

System.out.println("\n== Salts make identical passwords differ ==");
        Account a = register("bob", "samePass123".toCharArray());
        Account b = register("carol", "samePass123".toCharArray());
        String ha = Base64.getEncoder().encodeToString(a.hash());
        String hb = Base64.getEncoder().encodeToString(b.hash());
        System.out.println("  same input, equal hash? " + ha.equals(hb));

System.out.println("\n== Constant-time compare ==");
        byte[] x = "secret".getBytes();
        System.out.println("  isEqual(x, x)      : " + MessageDigest.isEqual(x, x));
        System.out.println("  isEqual(x, tampered): " + MessageDigest.isEqual(x, "secre!".getBytes()));
    }
}

What to take from the run:

The allowlist accepts alice_99 but rejects both Robert'); DROP TABLE and the too-short ab, so malicious or malformed input never reaches the next layer.
Stretching a password produces a fixed 32-byte digest over 120,000 iterations — the cost is what makes brute-forcing the stored hash impractical.
verify returns true for the correct password and false for the wrong one, because the candidate hash only matches when the input is identical.
Two different users registering the very same password get unequal hashes (same input, equal hash? false), proving the per-user random salt does its job.
MessageDigest.isEqual reports true for identical bytes and false for a one-character change, giving a constant-time comparison that does not leak through timing.

Practice

Why must passwords be stored with a slow, salted key-derivation function such as PBKDF2 instead of a single round of SHA-256?

A slow, salted KDF makes brute-forcing the stored hashes impractical and stops attackers from precomputing rainbow tables across users.
SHA-256 cannot accept a salt, so it is impossible to hash a password with it.
A single SHA-256 round produces output that is too short to store in a database.
PBKDF2 encrypts the password so it can later be decrypted and shown to the user.