Skip to main content
jGuard

Capability-Based Security for the JVM

Execute untrusted code with explicit, least-privilege access controls. Built for JDK 21+ in the post-SecurityManager era.

module-info.jguard
security module com.example.myapp {
    entitle com.example.myapp.http.. to network.outbound;
    entitle com.example.myapp.io..   to fs.read(data, "**");
    entitle com.example.myapp..      to threads.create;
}
Get StartedView on GitHub

Why jGuard?

The Java Security Manager was deprecated in JDK 17 and removed in JDK 24. jGuard provides capability-based security for the modern JVM.

🔒

No Ambient Authority

Code cannot implicitly access sensitive resources. All operations require explicit capabilities—no hidden permissions, no surprises.

📦

Modules as Principals

JPMS module identity serves as the root of trust. Packages provide fine-grained refinement for precise security boundaries.

🚫

Deny by Default

Operations fail unless capabilities are explicitly granted. Security is opt-in, not opt-out—the safest default posture.

📋

Deterministic Policy

Security policies compile to auditable metadata suitable for human review. Know exactly what your code can and cannot do.

⚙️

Multiple Execution Modes

Run in STRICT mode for production, PERMISSIVE for development, or AUDIT mode to log violations without blocking—fit your workflow.

🚀

Production Ready

Comprehensive enforcement, JPMS integration, CLI toolset with thejguardc compiler and jguard inspector.

Override Policies at Deployment

Restrict overly permissive libraries without rebuilding. Denials always win.

Embedded Policy (library)
// Embedded in library JAR - overly permissive
security module com.vendor.library {
    entitle module to network.outbound;
    entitle module to native.load;
    entitle module to fs.read(data, "**");
}
External Override (deployer)
// External override - restrict at deployment
security module com.vendor.library {
    deny module to network.outbound;
    deny module to native.load;
    // fs.read(data, "**") remains allowed
}

Protect Against Legacy Libraries

Apply least-privilege to third-party JARs that don't ship with jGuard policies.

policies/legacy.untrusted.library.jguard
// Secure legacy libraries without jGuard support
security module legacy.untrusted.library {
    // Grant only what the library needs
    entitle module to fs.read(config, "*.properties");
    entitle module to system.property.read("java.version");

    // Everything else denied by default:
    // - No network access
    // - No thread creation
    // - No native code
}

Use Cases

jGuard is designed for JVM applications that need to execute untrusted code safely.

Plugin Systems

Safely execute third-party plugins with explicit capability grants.

Learn more

ML/AI Isolation

Sandbox ML model execution and control resource access.

Learn more

Multi-Module Applications

Isolate modules with independent security policies.

Learn more

Search Engines

Secure custom scoring scripts and query-time code execution.

Learn more