--- title: Java Compatibility Requirements description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Runtime Code Analysis (IAST) > Set up Runtime Code Analysis (IAST) > Compatibility Requirements > Java Compatibility Requirements --- # Java Compatibility Requirements {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Application Security capabilities{% #application-security-capabilities %} The following application security capabilities are supported in the Java library, for the specified tracer version: | Application Security capability | Minimum Java tracer version | | -------------------------------------- | --------------------------- | | Threat Detection | 1.8.0 | | API Security | 1.31.0 | | Threat Protection | 1.9.0 | | Customize response to blocked requests | 1.11.0 | | Software Composition Analysis (SCA) | 1.1.4 | | Code Security | 1.15.0 | | Automatic user activity event tracking | 1.20.0 | The minimum tracer version to get all supported application security capabilities for Java is 1.31.0. **Note**: Threat Protection requires enabling [Remote Configuration](https://docs.datadoghq.com/tracing/guide/remote_config/), which is included in the listed minimum tracer version. ### Supported deployment types{% #supported-deployment-types %} | Type | Threat Detection support | Software Composition Analysis | | ----------------- | ------------------------ | ----------------------------- | | Docker | yes | yes | | Kubernetes | yes | yes | | Amazon ECS | yes | yes | | AWS Fargate | yes | yes | | AWS Lambda | yes | | Azure App Service | yes | yes | **Note**: Azure App Service is supported for **web applications only**. Application Security doesn't support Azure Functions. ## Language and framework compatibility{% #language-and-framework-compatibility %} ### Supported Java versions{% #supported-java-versions %} The Java Tracer supports automatic instrumentation for the following Oracle JDK and OpenJDK JVM runtimes. | JVM versions | Operating Systems | Support level | Tracer version | | ------------ | ------------------------------------------------------------------------ | ------------- | -------------- | | 8 to 21 | Windows (x86-64)Linux (glibc, musl) (arm64, x86-64)MacOS (arm64, x86-64) | Supported | Latest | Datadog does not officially support any early-access versions of Java. Versions 22 and above are supported as in Preview. ### Web framework compatibility{% #web-framework-compatibility %} - Attacker source HTTP request details - Tags for the HTTP request (status code, method, etc) - Distributed Tracing to see attack flows through your applications ##### Application Security Capability Notes{% #application-security-capability-notes %} - **Software Composition Analysis** is supported on all frameworks - If **Code Security** does not support your framework, it will still detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities. | Framework | Versions | Threat Detection supported? | Threat Protection supported? | Code Security? | | ---------------- | ------------- | --------------------------- | ---------------------------- | -------------- | | Grizzly | 2.0+ | yes | yes | yes | | Glassfish | yes | yes | yes | | Java Servlet | 2.3+, 3.0+ | yes | yes | yes | | Jetty | 7.0-9.x, 10.x | yes | yes | yes | | Spring Boot | 1.5 | yes | yes | yes | | Spring Web (MVC) | 4.0+ | yes | yes | yes | | Spring WebFlux | 5.0+ | yes | | Tomcat | 5.5+ | yes | yes | yes | | Vert.x | 3.4+, 4+ | yes | yes | yes | **Note**: Many application servers are Servlet compatible and are automatically covered by that instrumentation, such as Websphere, Weblogic, and JBoss. Also, frameworks like Spring Boot (version 3) inherently work because they usually use a supported embedded application server, such as Tomcat, Jetty, or Netty. {% alert level="info" %} If you don't see your framework of choice listed, let us know! Fill out [this short form to send details](https://forms.gle/gHrxGQMEnAobukfn7). {% /alert %} ### Networking framework compatibility{% #networking-framework-compatibility %} `dd-java-agent` includes support for automatically tracing the following networking frameworks. **Networking tracing provides:** - Distributed tracing through your applications - Request-based blocking ##### Application Security Capability Notes{% #application-security-capability-notes-1 %} - **Software Composition Analysis** is supported on all frameworks - If **Code Security** does not support your framework, it will still detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities. | Framework | Versions | Threat Detection supported? | Threat Protection supported? | Code Security? | | ---------------------------------- | -------- | --------------------------- | ---------------------------- | -------------- | | Apache HTTP Client | 4.0+ | yes | | gRPC | 1.5+ | yes | | HttpURLConnection | all | yes | | Jax RS Clients | 2.0+ | yes | yes | yes | | Jersey Server | 1.9-2.29 | yes | yes | yes | | Netty HTTP Server | 3.8+ | yes | | RESTEasy | 3.0.x | yes | | Spring SessionAwareMessageListener | 3.1+ | yes | {% alert level="info" %} If you don't see your framework of choice listed, let us know! Fill out [this short form to send details](https://forms.gle/gHrxGQMEnAobukfn7). {% /alert %} ### Data store compatibility{% #data-store-compatibility %} `dd-java-agent` includes support for automatically tracing the following database frameworks/drivers. **Datastore tracing provides:** - Timing request to response - Query info (for example, a sanitized query string) - Error and stacktrace capturing ##### Application Security Capability Notes{% #application-security-capability-notes-2 %} - **Software Composition Analysis** is supported on all frameworks - **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. - If your framework is not supported below, **Code Security** won't detect SQL Injection vulnerabilities, but will still detect the rest of vulnerability types listed [here](https://docs.datadoghq.com/security/code_security/software_composition_analysis/). | Database | Versions | Threat Detection supported? | Code Security? | | --------- | -------- | --------------------------- | -------------- | | Aerospike | 4.0+ | yes | | Couchbase | 2.0+ | yes | | JDBC | N/A | yes | yes | | MongoDB | 3.0-4.0+ | yes | `dd-java-agent` is also compatible with common JDBC drivers for Threat Detection, such as: - Apache Derby - Firebird SQL - H2 Database Engine - HSQLDB - IBM DB2 - MariaDB - MSSQL (Microsoft SQL Server) - MySQL - Oracle - Postgres SQL - ScalikeJDBC {% alert level="info" %} If you don't see your framework of choice listed, let us know! Fill out [this short form to send details](https://forms.gle/gHrxGQMEnAobukfn7). {% /alert %} ### User Authentication Frameworks compatibility{% #user-authentication-frameworks-compatibility %} **Integrations to User Authentication Frameworks provide:** - User login events, including the user IDs - Account Takeover detection monitoring for user login events | Framework | Minimum Framework Version | | --------------- | ------------------------- | | Spring Security | 5.5+ |