All Products
Search
Document Center

Application Real-Time Monitoring Service:Onboard applications to Application Security

Last Updated:Jun 23, 2026

Onboard a Java application to Application Security with one click in the ARMS console. After onboarding, restart the application's instances to enable protection—no code changes required.

Prerequisites

  • Application Security currently supports only Java applications. Before you begin, ensure the target Java application is integrated with ARMS Application Monitoring. For more information, see Application Monitoring overview.

  • The Java agent for Application Monitoring must meet the following version requirements:

    • For applications in auto-upgrade environments, such as those on Container Service for Kubernetes (ACK) or EDAS, the agent version must be v2.7.1.2 or later.

      Note

      Auto-upgrade environments automatically upgrade the agent when you restart the application or pod. For more information, see Upgrade the ARMS agent.

    • For applications in manual-upgrade environments, the agent version must be v2.7.1.3 or later.

    Log on to the ARMS console and go to the Application Monitoring > Agent Management page to check the agent version of your applications. To upgrade the agent, see Upgrade the ARMS agent.

Authorization

Before onboarding an application, authorize ARMS to access the Alibaba Cloud security services it depends on.

  1. Log on to the ARMS console.

  2. In the left-side navigation pane, choose Application Security > Application List.

  3. In the Application Security section, click Authorize Now.

  4. In the Note dialog box that appears, click Confirm.

    After you grant the authorization, ARMS automatically creates the AliyunServiceRoleForARMSSecurity service-linked role. You can then view the application list and onboard your target application. For more information about the permissions of this role, see Service-linked role for Application Security.

    Note

    If a message indicates that the current RAM user does not have the permissions to create a service-linked role, contact the administrator of your Alibaba Cloud account to attach the required policy to the RAM user. For more information, see FAQ.

Onboard via Application Monitoring

Agent versions 2.7.1.4 and later let you enable Application Security during the Application Monitoring integration.

Onboard from the console

If you did not enable Application Security during the initial Application Monitoring integration, follow these steps to onboard from the console.

  1. Log on to the ARMS console.

  2. In the left-side navigation pane, choose Application Security > Application List, and then select a region from the top navigation bar.

    The Application List page lists all Java applications that you can onboard to Application Security.

    Note

    Before you onboard an application, ensure that its agent version is v2.7.1.3 or later.

  3. Onboard the target application.

    • To onboard a single application: In the Actions column of the target application, click Monitor . In the dialog box that appears, click Confirm.

    • To onboard multiple applications in bulk:

      1. On the Application List page, click Add Application in the upper-left corner.

      2. In the Add Application dialog box, select the target applications from the No security applications are added. list, click the > icon to move them to the Security applications are added. list, and then click OK.

  4. Restart the instances of the target application for the changes to take effect.

    You can view the onboarding status in the Integration Status column on the Application List page. After all instances are restarted, Application Security takes effect on all instances of the application. If only some instances are restarted, the feature takes effect only on the successfully restarted instances.

    The Instances Added section in the Integration Status column shows the number of onboarded instances and the total number of instances. You can click the numbers to view detailed status information for each instance.

    接入应用安全

Configure protection mode

After onboarding an application, configure its Protection Mode. The available modes are Monitor, Monitor and Block, and Disable. The default is Monitor. After an observation period confirms that your application runs correctly, switch to Monitor and Block for active attack protection.

  1. On the Application Security > Application List page, find the target application and click Protection Settings in the Actions column.

  2. In the Protection Settings dialog box, configure the following parameters and click OK.

    Parameter

    Description

    Protection Mode

    • Monitor: Detects and reports attacks but does not block them. If you have configured alert rules, alerts are generated. This mode does not affect application runtime.

    • Monitor and Block: Detects and blocks attacks. When an attack is blocked, the application throws an exception.

    • Disable: Turns off all Application Security features for the application. No attacks are detected or blocked.

    Detection Timeout Period

    The maximum time allowed for attack detection. Valid values: 5 to 200,000 milliseconds. Default value: 300 milliseconds. If detection exceeds this timeout, original request processing continues. Use the default unless you have a specific reason to change it.

    Check Type

    The categories of attacks to detect. Use the default configuration (all types selected). For more information about each type, see Attack types and protection recommendations.

    Note

    Changes to Protection Settings can take up to 30 seconds to propagate.

Remove an application

Onboarded via Application Monitoring

To remove an application that was onboarded during integration with Application Monitoring:

  • For applications in an ACK cluster:

    Remove the armsSecAutoEnable: "on" tag.

  • For applications in other environments:

    Remove the -Darms.appsec.enable=true startup parameter.

Onboarded from the console

To remove an application that was onboarded from the console, go to the Application Security > Application List page. In the Actions column of the target application, click Remove, and then click Confirm in the confirmation dialog box. After the operation is complete, you must restart the application's instances to fully remove it from Application Security.

Removing an application solely for performance reasons is not recommended. After onboarding, an application runs in Monitor mode by default, which only reports attack alerts without blocking—this does not affect runtime performance. To turn off all detection, switch to Disable mode instead.