For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/application_security/setup/compatibility/java.md. A documentation index is available at /llms.txt.

Java Compatibility Requirements

This product is not supported for your selected Datadog site. ().

App and API Protection capabilities

The following App and API Protection capabilities are supported in the Java library, for the specified tracer version:

App and API Protection capabilityMinimum Java tracer version
HTTP Monitoring1.51.0
gRPC Monitoring1.36.0
GraphQL Monitoring1.32.0
Exploit Prevention1.45.0
API Security1.54.0
Account Takeover Protection1.39.0
Runtime Activation1.13.0
Runtime Software Composition Analysis (SCA)1.13.0
Runtime Code Analysis (IAST)1.47.0

The minimum tracer version to get all supported App and API Protection capabilities for Java is 1.54.0. Note: Blocking requires enabling Remote Configuration, which is included in the listed minimum tracer version.

Supported deployment types

Deployment typeSupport
Docker
Kubernetes
Amazon ECS
AWS Fargate
AWS Lambda
Azure App Service

Note: Azure App Service is supported for web applications only. App and API Protection doesn’t support Azure Functions.

Language and framework compatibility

Supported Java versions

The Java Tracer supports automatic instrumentation for the following Oracle JDK and OpenJDK JVM runtimes.

JVM versionsOperating SystemsSupport levelTracer version
8 to 17Windows (x86-64)
Linux (glibc, musl) (arm64, x86-64)
MacOS (arm64, x86-64)		SupportedLatest

Datadog does not officially support any early-access versions of Java.

Integrations

The Java tracer includes support for the following frameworks, data stores and libraries.

You can also find more tracing integrations in APM’s tracing compatibility page.

If you don't see your framework of choice listed, let us know! Fill out this short form to send details.

Web framework compatibility

  • Attacker source HTTP request details
  • Tags for the HTTP request (status code, method, etc)
  • Distributed Tracing to see attack flows through your applications
FrameworkVersionsHTTP MonitoringHTTP Blocking
Akka HTTP>=10.0.0
Apache Commons FileUpload>=1.5
Grizzly>=2.0
Jersey>=2.0
Jetty>=7.0
Open Liberty>=20.0
Netty>=3.8.0
Pekko HTTP>=1.0.0
Play Framework>=2.3.0
Ratpack>=1.5.0
RESTEasy>=3.0.0
Servlet>=2.2
Servlet Request Body>=2.2
Spring WebMVC>=3.1.0
Spring WebFlux>=5.0.0
Tomcat>=5.5
Undertow>=2.0.0
Vert.x>=3.4.0

Note: Many application servers are Servlet compatible and are automatically covered by that instrumentation, such as Websphere, Weblogic, and JBoss. Also, frameworks like Spring Boot (version 3) inherently work because they usually use a supported embedded application server, such as Tomcat, Jetty, or Netty.

Networking framework compatibility

HTTP client

FrameworkVersionsServer-side Request Forgery (SSRF)
OkHttp>=2.2
java.net (URL/HttpURLConnection)*
java.net.http (HttpClient)*
Apache HttpClient 4>=4.0 <=4.99.99
Apache HttpClient 5>=5.0
Apache HttpAsyncClient 4>=4.0
Apache Commons HttpClient>=2.0
Apache HttpCore>=4.0 <=4.99.99
Apache HttpCore 5>=5.0
Scala Standard Library>=2.10.7

gRPC

FrameworkVersionsgRPC MonitoringgRPC Blocking
gRPC>=1.5.0

Data store compatibility

Datastore tracing provides:

  • SQL attack detection
  • Query info (for example, a sanitized query string)
  • Error and stacktrace capturing
FrameworkVersionsSQL Injection (SQLi)
Hibernate>=3.3.0
JDBC>=4.0

GraphQL compatibility

FrameworkVersionsGraphQL Monitoring
graphql-java>=14.0

Filesystem compatibility

FrameworkLocal File Inclusion (LFI)
java.io / java.nio.file
Scala Standard Library

Subprocess compatibility

FrameworkCommand InjectionShell Injection
java.lang (Runtime/ProcessBuilder)

User Authentication Frameworks compatibility

Integrations to User Authentication Frameworks provide:

  • User login events, including the user IDs
  • Account Takeover detection monitoring for user login events
FrameworkAutomatic User Event Tracking
Spring Security