The Contrast Java agent analyzes the behavior of Java applications running on J2EE containers; newer frameworks like Netty, Play or Vert.X; FatJar/microservice applications like SpringBoot; or even regular desktop Java applications. If there's a JVM, the Java agent can get security insights.
How it Works
To start analyzing an application, install the Java agent by adding it as -javaagent JVM parameter. After installation, continue to use the application as you normally would. (If it's a web application, just click on links, submit forms using normal data, and so forth.) The Java agent's sensors gather information about the application's security, architecture and libraries. You can see the results of the agent's analysis in the Contrast interface.
To install the Java agent, complete the following steps:
- Log in to the Contrast interface.
- Click the button in the top navigation bar to Add Agent.
- Select the Java agent in the dropdown menu, and click the button to Download Agent. You may need to specify proxy authentication information required by your network before downloading the agent.
Note: You must not rename the contrast.jar file. If the agent file name is changed, the agent will fail to connect with the Contrast application.
To start analyzing an application, use the web application as you normally would in your browser: click on links, submit forms using normal data, etc. The sensors of the Contrast Java agent will gather information about the application’s security, architecture and libraries. You can view the results of the agent’s analysis in the Contrast interface.
If you want to download the agent and test with WebGoat, Contrast has a public repository to help you get started.
Contrast is tested and proven to be compatible with the following technologies; however, Contrast is also compatible with many more that aren't listed.
| Supported JDKS | Supported Containers | Supported Application Frameworks |
|---|---|---|
| IBM 1.5 (2008+), 1.6, 1.7 | GlassFish 3, 4 | Apache POI, fileupload, HttpComponents |
| JRockit 1.5, 1.6 (update 95+ or R28.3.6+) | Grizzly 2.3.20+ | Axis (RPC), XMLRPC, RMI, Apache CXF, JMS (javax.jms) |
| Oracle JDK 1.5, 1.6, 1.7, 1.8 | JBoss 4.2, 5, 5.1, 6.1, 7, 7.1 | Direct Web Remoting (DWR) |
| Open JDK 1.5, 1.6, 1.7, 1.8 | Jetty 6, 7, 8, 9 | DropWizard |
| Karaf 3.0.x | Freemarker, Velocity | |
| Netty 3.x, 4.x | GSON, Kryo, minidev, org.json | |
| Play 2.2,2.3,2.4 | Google Web Toolkit (GWT) | |
| Tomcat 4, 5, 6, 7, 8 | Hibernate | |
| Vert.X 3.0+ | J2SE | |
| WebLogic 9, 10, 11g, 12c | JDBC, JDBI, MongoDB | |
| WebSphere 6.1, 7, 8, 8.5* | JSF (MyFaces, RichFaces, Sun) | |
| WildFly 10, 10.1.x | java.nio, java.beans | |
| Java EE/J2EE, Servlet/JSP | ||
| Jersey | ||
| OWASP ESAPI, AntiSamy, Coverity | ||
| Oracle, SQL Server, PostgreSQL, DB2, MySQL JDBC drivers | ||
| Seam | ||
| Spring, Spring Boot | ||
| Struts, Struts 2 | ||
| Wicket | ||
| XStream, Jackson (JSON/XML) | ||
| Xerces, JAXB, nu.xom |
* Contrast tests WebSphere on Windows and Linux, and offers limited support for zSeries and AIX environments. Customers using WebSphere on SPARC Solaris require version 8.5.5.11.
Note for Proguard Users
Proguard includes Java bytecode optimization features which break basic assumptions that runtime agents like Contrast rely on. Proguard users that want to protect their applications with Contrast need to avoid these optimizations by using Proguard's -dontoptimize configuration option.
