Security Anti-Patterns Guard for Java
Overview
Code generation guard that prevents security vulnerabilities while writing Java web application code. Covers OWASP Top 10 Web (2025), OWASP API Security Top 10 (2023), with CWE references throughout.
Stack: Java 11/17/21, Spring Boot, Spring Security, Jakarta EE, Hibernate, JPA
Java Version Focus:
- Java 17 (primary target - ~35% usage)
- Java 11 (secondary - ~33% usage)
- Java 21 (latest LTS - growing adoption)
When to Activate
Activate when generating code that:
- Handles user input (forms, API requests, file uploads)
- Queries databases (JDBC, JPA, Hibernate)
- Performs authentication or authorization
- Manages sessions or JWT tokens
- Processes files or paths
- Serializes/deserializes data (ObjectInputStream, XML, JSON)
- Uses cryptographic operations
- Executes system commands or processes
- Configures Spring Security or Jakarta EE security
Critical Rules (Top 10)
- NEVER concatenate strings into SQL queries - use
PreparedStatementor JPA named parameters - NEVER use
ObjectInputStream.readObject()on untrusted data - use JSON with validation - NEVER use
Runtime.exec()with user input - useProcessBuilderwith argument list - NEVER use
java.util.Randomfor security - useSecureRandom - NEVER use MD5/SHA1 for passwords - use BCrypt or Argon2
- NEVER hardcode secrets - use environment variables or secret managers
- NEVER disable CSRF without understanding the risk - keep enabled for browser clients
- NEVER trust user-supplied file paths - normalize and validate with
Path.resolve()+startsWith() - ALWAYS verify resource ownership (BOLA) - check
userIdbefore returning data - ALWAYS validate input at API boundaries - use Bean Validation annotations
Module Index
| Module | Focus | Key Vulnerabilities |
|---|---|---|
| references/injection.md | SQL, Command, LDAP, XPath, JPQL | CWE-89, CWE-78, CWE-90, CWE-643 |
| references/deserialization.md | ObjectInputStream, XXE, JSON/YAML | CWE-502, CWE-611 |
| references/xss-output.md | XSS, template escaping, JSP/Thymeleaf | CWE-79 |
| references/auth-access.md | BOLA, BFLA, sessions, JWT | CWE-862, CWE-863, CWE-287 |
| references/crypto-secrets.md | Secrets, hashing, encryption | CWE-798, CWE-327, CWE-916 |
| references/input-validation.md | Bean Validation, forms, uploads | CWE-20, CWE-434, CWE-915 |
| references/file-operations.md | Path traversal, temp files, NIO | CWE-22, CWE-377 |
| references/spring-security.md | CSRF, CORS, method security, actuators | Spring-specific |
| references/jakarta-ee.md | Servlet security, EJB, JAX-RS | Jakarta EE-specific |
| references/dependencies.md | Maven/Gradle audit, supply chain | CWE-1104, CWE-1357 |
| references/java-runtime.md | Reflection, ReDoS, ScriptEngine | CWE-94, CWE-1333 |
Quick Decision Tree
User input involved?
├─ Database query → See references/injection.md (use PreparedStatement/JPA named params)
├─ File path → See references/file-operations.md (use Path.resolve() + startsWith check)
├─ Command execution → See references/injection.md (ProcessBuilder with list args)
├─ Deserialization → See references/deserialization.md (NEVER ObjectInputStream on untrusted)
├─ Template rendering → See references/xss-output.md (use th:text not th:utext)
└─ API endpoint → See references/auth-access.md + references/input-validation.md
Storing/generating secrets?
├─ API keys → See references/crypto-secrets.md (env vars or Vault)
├─ Passwords → See references/crypto-secrets.md (BCrypt/Argon2)
└─ Tokens → See references/crypto-secrets.md (SecureRandom)
Framework-specific?
├─ Spring Boot → See references/spring-security.md
├─ Jakarta EE → See references/jakarta-ee.md
└─ Core Java → See references/java-runtime.md
How to Use This Skill
- During code generation: Reference relevant module for specific vulnerability patterns
- Code review: Check generated code against patterns in each module
- When uncertain: Default to the more secure option; add explicit comments explaining security decisions