search
Changelog NotificationsAPIAikido login

Java (Spring MVC)

Zen Firewall by Aikidoarrow-up-right helps protect your application by blocking common attacks and unsafe behavior at runtime, with controls you can tune per app and environment. Use the guides below to install and set it up.

https://github.com/AikidoSec/firewall-javaarrow-up-right

hashtag
Requirements

hashtag
Installation & Configuration

1

hashtag
Install Zen Firewall by Aikido

Download and extract the latest Java agent bundle:

curl -L https://github.com/AikidoSec/firewall-java/releases/latest/download/zen.zip -o zen.zip
unzip zen.zip

Keep the extracted folder structure intact (for example /opt/zen) and make sure your process can read and write it.

Add the Java agent to your runtime:

-javaagent:/opt/zen/agent.jar

For rate limiting and user blocking features, add agent_api.jar to your project.

Gradle:

dependencies {
    implementation files('/opt/zen/agent_api.jar')
}

Maven:

<dependency>
  <groupId>dev.aikido</groupId>
  <artifactId>agent_api</artifactId>
  <version>1.0</version>
  <systemPath>/opt/zen/agent_api.jar</systemPath>
</dependency>
2

hashtag
Start Zen Firewall in dry / detection-only mode

Start your app with Zen enabled and dry mode:

AIKIDO_TOKEN=AIK_RUNTIME_... AIKIDO_BLOCK=false java -javaagent:/opt/zen/agent.jar -jar build/myapp.jar

Set the token as an environment variable so the Aikido Zen agent can pick it up. If you don't have a token yet, follow instructions here.

AIKIDO_TOKEN=AIK_RUNTIME_

We recommend to start your app in dry mode to ensure it works as expected without blocking any requests. We advise running Zen Firewall in staging for two weeks to avoid false positives.

AIKIDO_BLOCK=false
circle-info

You can use AIKIDO_DEBUG=true to enable debug mode for more detailed information about what the agent is doing. For more information about your environment variables: Configuration via Environment Variables

3

hashtag
Test your app

Browse to your application and perform a couple of actions or open a couple of pages. Zen will automatically discover the routes in your application.

You can verify a working agent by looking at the following pages of your Zen application:

  • Events: Should show an "Application started" event.

  • Routes: After some time your application routes will start showing here with the method, route and requests.

  • Instances: Should show the number of active instances for your application where Zen is installed.

4

hashtag
Enable Rate limiting and User blocking

Use a filter that checks Zen's decision:

@Component
@Order(2)
public class RateLimitingFilter implements Filter {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        ShouldBlockRequest.ShouldBlockRequestResult result = ShouldBlockRequest.shouldBlockRequest();

        if (result.block()) {
            if (result.data().type().equals("ratelimited")) {
                String message = "You are rate limited by Zen.";
                if (result.data().trigger().equals("ip")) {
                    message = message + " (Your IP: " + result.data().ip() + ")";
                }
                HttpServletResponse httpResponse = (HttpServletResponse) response;
                httpResponse.setStatus(429);
                httpResponse.getWriter().write(message);
                return;
            }

            if (result.data().type().equals("blocked")) {
                HttpServletResponse httpResponse = (HttpServletResponse) response;
                httpResponse.setStatus(403);
                httpResponse.getWriter().write("You are blocked by Zen.");
                return;
            }
        }

        chain.doFilter(request, response);
    }
}

Set users in an earlier filter:

import dev.aikido.agent_api.SetUser;

@Component
@Order(0)
public class SetUserFilter implements Filter {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        SetUser.setUser(new SetUser.UserObject("123", "John Doe"));
        chain.doFilter(request, response);
    }
}
5

hashtag
Setup rate limiting in the dashboard

After you've added the Zen Firewall middleware, you can test it out by logging in to your Aikido account and navigating to the Zen dashboard.

Agent start event logged with info severity and timestamp shown.

To protect a route from brute force attacks, set up rate limiting in the Aikido Dashboard:

  1. Click on the created app.

  2. Go to the Routes tab.

  3. Find the route you would like to limit and click Setup rate limiting.

  4. Follow the instructions to configure the rate limit (e.g., 5 requests per minute).

API route management interface showing authentication routes with protection and rate limiting options.
Set rate limiting for POST /auth/login to 5 requests per minute.

Verify Rate Limiting

Start your app and try to access the route you've rate limited 5 times within a minute. After the fifth attempt, you should receive a rate limit error:

You are rate limited by Aikido firewall. (Your IP: 1.2.3.4)
6

hashtag
Next steps

Congrats you've successfully installed Zen Firewall. If you encountered any problems, have concerns or feature requests, don't hesitate to reach out to support.

You can now go and explore the many features that Zen Firewall provides:

Additional information:

Last updated

Was this helpful?