Finally, an easy security layer for Java

JarLock is a super easy way to add a powerful layer of protection to applications running on the Java Virtual Machine.

JarLock

Network Sockets

Create an allow list of network connections, block everything else.

Process Creation

Block the creation of processes within your application.

Java Apis

Easily block dangerous Java APIs such as Java Serialization / Deserialization, JNDI, and more.

No Coding

You don't need to be a programmer to add JarLock to a Java application.

Get Started, it's Easy...

Select the security features you'd like to apply to your Java Application, and download the configuration.

Craft Your Config







 
 

ColdFusion / Lucee Options

Advanced Options


Your jarlock.properties File

JARLOCK_LOG_ENABLED=true
JARLOCK_LOG_VERBOSE=true
JARLOCK_BLOCK_ENABLED=true

JARLOCK_BLOCK_CLASSES=lucee.runtime.functions.other.CFusionEncrypt,CFusionDecrypt,javax.accessibility.AccessibleTextSequence
JARLOCK_BLOCK_PACKAGES=lucee.runtime.functions.csrf,lucee.runtime.functions.orm

JARLOCK_BLOCK_JAVA_SERIALIZATION=true
JARLOCK_BLOCK_JAVA_DESERIALIZATION=true

JARLOCK_TRUSTED_SOURCES=*/WEB-INF/cftags/*,flex.server.j2ee.cache.DependencyChecker,com.adobe.internal.pdfm.util.FontSetBuilder,*iif.cfm,runwar.Server$MonitorThread,runwar.Server$OpenBrowserTask,runwar.Start

JARLOCK_BLOCK_PROCESS_CREATION=true
JARLOCK_BLOCK_PROCESS_DESTROY=true
JARLOCK_BLOCK_PROCESS_ENUMERATION=true

JARLOCK_BLOCK_RUNTIME_EXIT=true

JARLOCK_BLOCK_TOOLPROVIDER=true

JARLOCK_ALLOW_SOCKET_LISTEN=127.0.0.1:8311,127.0.0.1:50311,0.0.0.0:1243
JARLOCK_ALLOW_SOCKET_CONNECT=127.0.0.1:8311,httpbin.org,foundeo.com
          

Why JarLock?

JarLock was born in the wake of the 2021 Log4J vulnerability aptly known as Log4Shell. We wanted an easy way to apply security boundaries to our Java Applications. We didn't use JNDI, so why should we suffer from obscure and vulnerable uses of it in a popular third party library? Further it was hard to know which applications included the vulnerable classes, it would have been nice to be able apply a configuration to block vulnerable classes throughout the JVM.

What about the SecurityManager?

It's true Java does come with a powerful SecurityManager, but many have found it difficult to deploy, difficult to configure, and poor in performance. To make matters worse the SecurityManager has been deprecated as of Java 17 (see JEP 411) in 2011, and is slated to be removed from Java all together via JEP 486 (in Java 24).

What about the Java Module System?

The Java Module System is a great step forward, but many of the powerful features of the JVM live within the java.base module. Often exploited features such as Java Deserialization, executing processes, networking are all implemented within the java.base module, so every module has implicit access to these apis.

Some exploited features, such as JNDI do live within their own module (java.naming), and it is possible to create your own jvm runtime image that excludes such modules. In practice most do not create a custom runtime, and JarLock can be used to protect those.

Finally, even though the module system does prevent a third party lib from using modules besides java.base that it does not explicitly declare. This doesn't often protect the end user. Consider that the log4j's module definition requires java.naming which opens a read edge to the JNDI API.

Using JarLock we can provide an off switch to the APIs which our applications do not require.

Download Now

Pricing

Server License


1 Server
Multiple Instances/Server

 
Request a Quote

10 Pack


10 Server Licenses
Multiple Instances/Server

 
Request a Quote

Enterprise


Unlimited Servers
Unlimited Instances
Source Code Available
 
Request a Quote