The Contrast Java agent analyzes the behavior of Java applications running on J2EE containers; newer frameworks like Netty, Play or Vert.X; FatJar/microservice applications like SpringBoot; or even regular desktop Java applications. If there's a JVM, the Java agent can get security insights.

How It Works

To start analyzing an application, install the Java agent by adding it as -javaagent JVM parameter. After installation, continue to use the application as you normally would. (If it's a web application, just click on links, submit forms using normal data, and so forth.) The Java agent's sensors gather information about the application's security, architecture and libraries. You can see the results of the agent's analysis in the Contrast UI.

Supported Technologies

Contrast is tested and proven to be compatible with the following technologies; however, Contrast is also compatible with many more that aren't listed.

Supported JDKS Supported Containers Supported Application Frameworks
AWS Corretto 1.8 GlassFish 4 Apache POI, fileupload, HttpComponents
IBM 1.6, 1.7, 1.8 Grizzly 2.3.20+ Axis (RPC), XMLRPC, RMI, Apache CXF, JMS (javax.jms)
JRockit 1.6 (update 95+ or R28.3.6+) JBoss 4.2, 5, 5.1, 6.1, 7, 7.1 Direct Web Remoting (DWR)
Oracle JDK 1.6, 1.7, 1.8, 11 Jetty 7, 8, 9 DropWizard
Open JDK 1.6, 1.7, 1.8, 11 Karaf 3.0.x Freemarker
Netty 4.x GSON, Kryo, minidev, org.json
Play 2.4 Google Web Toolkit (GWT)
Tomcat 5, 6, 7, 8, 9 Hibernate
Vert.X 3.0 J2SE
WebLogic 10, 11g, 12c JDBC, JDBI, MongoDB
WebSphere* 8.5, 9.0 JSF (MyFaces, RichFaces, Sun)
WildFly 10, 10.1.x java.nio, java.beans
Java EE/J2EE, Servlet/JSP
OWASP ESAPI, AntiSamy, Coverity
Oracle, SQL Server, PostgreSQL, DB2, MySQL, SQLite JDBC drivers
Spring, Spring Boot, Spring AOP
Struts, Struts 2
XStream, Jackson (JSON/XML)
Xerces, JAXB, nu.xom

* Contrast offers limited support for zSeries and AIX environments. Customers using WebSphere on SPARC Solaris require version

Note for Proguard Users

Proguard includes Java bytecode optimization features which break basic assumptions that runtime agents like Contrast rely on. Proguard users that want to protect their applications with Contrast need to avoid these optimizations by using Proguard's -dontoptimize configuration option.