Setup App and API Protection for Java in Docker

For faster setup with automatic instrumentation, consider using Single Step APM Instrumentation, which automatically installs the Datadog SDK with no additional configuration required. See Single Step APM Instrumentation for setup instructions.

Once SSI is set up, you can enable App and API Protection by going to your APM service in the Datadog app → Service Configuration section → Enable Application Security Monitoring.

Overview

Datadog Application Security Management (ASM) provides App and API Protection (AAP) capabilities including:

  • Application Security Monitoring: Real-time threat detection and protection against attacks like SQL injection, XSS, and more
  • Software Composition Analysis (SCA): Identification of vulnerable dependencies in your codebase
  • Interactive Application Security Testing (IAST): Runtime vulnerability detection during testing

ASM works by leveraging the Datadog Java tracing library to monitor HTTP requests, analyze patterns, and detect security threats in real-time. The library integrates seamlessly with your existing application without requiring code changes.

For detailed compatibility information, including supported Java versions, frameworks, and deployment environments, see Single Step Instrumentation Compatibility.

This guide explains how to set up App and API Protection (AAP) for Java applications running in Docker containers. The setup involves:

  1. Installing the Datadog Agent
  2. Configuring your Java application container
  3. Enabling AAP monitoring

Prerequisites

  • Docker installed on your host
  • Java application containerized with Docker
  • Datadog Agent installed on the host or as a container

Setup

1. Install and run the Datadog Agent

If you haven’t already, install the Datadog Agent on your host or as a container. For containerized installation:

docker run -d --name datadog-agent \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /proc/:/host/proc/:ro \
  -v /sys/fs/cgroup/:/host/sys/fs/cgroup:ro \
  -e DD_API_KEY=<YOUR_API_KEY> \
  -e DD_APM_ENABLED=true \
  -e DD_APM_NON_LOCAL_TRAFFIC=true \
  datadog/agent:latest

Library setup

To enable AAP capabilities, you need the Datadog Java tracing library (version 0.94.0 or higher) installed in your application environment. Normally, this is done with the run command above, however, if it does not, you can download the agent manually.

Download the library

Download the latest version of the Datadog Java library:

ADD 'https://dtdg.co/latest-java-tracer' /dd-java-agent.jar

Verify compatibility

To check that your service’s language and framework versions are supported for AAP capabilities, see Single Step Instrumentation Compatibility.

Service configuration

Run your application with AAP enabled

    Start your Java application with the Datadog agent and AAP enabled:

    ENTRYPOINT ["java", "-javaagent:/dd-java-agent.jar", "-Ddd.appsec.enabled=true", "-Ddd.service=<MY_SERVICE>", "-Ddd.env=<MY_ENV>", "-jar", "/app.jar"]

    If you want to use Application Security Management without APM tracing functionality, you can deploy with [Standalone App and API Protection][2]. This configuration reduces the amount of APM data sent to Datadog to the minimum required by App and API Protection products.

    To enable standalone mode:

    1. Set DD_APM_TRACING_ENABLED=false environment variable
    2. Keep DD_APPSEC_ENABLED=true environment variable
    3. This configuration will minimize APM data while maintaining full security monitoring capabilities
    ENTRYPOINT ["java", "-javaagent:/dd-java-agent.jar", "-Ddd.appsec.enabled=true", "-Ddd.apm.tracing.enabled=false", "-Ddd.service=<MY_SERVICE>", "-Ddd.env=<MY_ENV>", "-jar", "/app.jar"]

    Important considerations:

    • File system requirements: Read-only file systems are not currently supported. The application must have access to a writable /tmp directory.
    • Service identification: Always specify DD_SERVICE (or -Ddd.service) and DD_ENV (or -Ddd.env) for proper service identification in Datadog.

    2. Configure your Java application container

    Add the following to your Dockerfile:

    # Download the Datadog Java agent
ADD 'https://dtdg.co/latest-java-tracer' /dd-java-agent.jar

# Set environment variables
ENV DD_APPSEC_ENABLED=true
ENV DD_SERVICE=<YOUR_SERVICE_NAME>
ENV DD_ENV=<YOUR_ENVIRONMENT>

# Add the Java agent to your application's startup command
ENTRYPOINT ["java", "-javaagent:/dd-java-agent.jar", "-jar", "/app.jar"]

    3. Run your container

    When running your container, make sure to:

    1. Connect it to the same Docker network as the Datadog Agent
    2. Set the required environment variables
    docker run -d \
  --name your-java-app \
  --network datadog-network \
  -e DD_APPSEC_ENABLED=true \
  -e DD_SERVICE=<YOUR_SERVICE_NAME> \
  -e DD_ENV=<YOUR_ENVIRONMENT> \
  your-java-app-image

    Verify setup

    To verify that AAP is working correctly:

    1. Send some traffic to your application
    2. Check the Application Signals Explorer in Datadog
    3. Look for security signals and vulnerabilities

    Troubleshooting

    If you encounter issues while setting up App and API Protection for your Java application, see the Java App and API Protection troubleshooting guide.

    Further Reading

    Additional helpful documentation, links, and articles:

    How App and API Protection WorksDOCUMENTATION more more OOTB App and API Protection RulesDOCUMENTATION more more Troubleshooting App and API ProtectionDOCUMENTATION more more
    PREVIEWING: sezen.leblay/aap-setup-page-java