Onboard a Java application to Application Security with one click in the ARMS console. After onboarding, restart the application's instances to enable protection—no code changes required.
Prerequisites
-
Application Security currently supports only Java applications. Before you begin, ensure the target Java application is integrated with ARMS Application Monitoring. For more information, see Application Monitoring overview.
-
The Java agent for Application Monitoring must meet the following version requirements:
-
For applications in auto-upgrade environments, such as those on Container Service for Kubernetes (ACK) or EDAS, the agent version must be v2.7.1.2 or later.
NoteAuto-upgrade environments automatically upgrade the agent when you restart the application or pod. For more information, see Upgrade the ARMS agent.
-
For applications in manual-upgrade environments, the agent version must be v2.7.1.3 or later.
Log on to the ARMS console and go to the page to check the agent version of your applications. To upgrade the agent, see Upgrade the ARMS agent.
-
Authorization
Before onboarding an application, authorize ARMS to access the Alibaba Cloud security services it depends on.
-
Log on to the ARMS console.
-
In the left-side navigation pane, choose .
-
In the Application Security section, click Authorize Now.
-
In the Note dialog box that appears, click Confirm.
After you grant the authorization, ARMS automatically creates the AliyunServiceRoleForARMSSecurity service-linked role. You can then view the application list and onboard your target application. For more information about the permissions of this role, see Service-linked role for Application Security.
NoteIf a message indicates that the current RAM user does not have the permissions to create a service-linked role, contact the administrator of your Alibaba Cloud account to attach the required policy to the RAM user. For more information, see FAQ.
Onboard via Application Monitoring
Agent versions 2.7.1.4 and later let you enable Application Security during the Application Monitoring integration.
-
For applications in an ACK cluster:
Add the tag
armsSecAutoEnable: "on". For more information, see Install the Java agent for applications in ACK and ACK Serverless clusters by using the ack-onepilot component. -
For applications in other environments:
Add the
-Darms.appsec.enable=truestartup parameter. For more information, see Manually install the agent.
Onboard from the console
If you did not enable Application Security during the initial Application Monitoring integration, follow these steps to onboard from the console.
-
Log on to the ARMS console.
-
In the left-side navigation pane, choose , and then select a region from the top navigation bar.
The Application List page lists all Java applications that you can onboard to Application Security.
NoteBefore you onboard an application, ensure that its agent version is v2.7.1.3 or later.
-
Onboard the target application.
-
To onboard a single application: In the Actions column of the target application, click Monitor . In the dialog box that appears, click Confirm.
-
To onboard multiple applications in bulk:
-
On the Application List page, click Add Application in the upper-left corner.
-
In the Add Application dialog box, select the target applications from the No security applications are added. list, click the > icon to move them to the Security applications are added. list, and then click OK.
-
-
-
Restart the instances of the target application for the changes to take effect.
You can view the onboarding status in the Integration Status column on the Application List page. After all instances are restarted, Application Security takes effect on all instances of the application. If only some instances are restarted, the feature takes effect only on the successfully restarted instances.
The Instances Added section in the Integration Status column shows the number of onboarded instances and the total number of instances. You can click the numbers to view detailed status information for each instance.

Configure protection mode
After onboarding an application, configure its Protection Mode. The available modes are Monitor, Monitor and Block, and Disable. The default is Monitor. After an observation period confirms that your application runs correctly, switch to Monitor and Block for active attack protection.
-
On the page, find the target application and click Protection Settings in the Actions column.
-
In the Protection Settings dialog box, configure the following parameters and click OK.
Parameter
Description
Protection Mode
-
Monitor: Detects and reports attacks but does not block them. If you have configured alert rules, alerts are generated. This mode does not affect application runtime.
-
Monitor and Block: Detects and blocks attacks. When an attack is blocked, the application throws an exception.
-
Disable: Turns off all Application Security features for the application. No attacks are detected or blocked.
Detection Timeout Period
The maximum time allowed for attack detection. Valid values: 5 to 200,000 milliseconds. Default value: 300 milliseconds. If detection exceeds this timeout, original request processing continues. Use the default unless you have a specific reason to change it.
Check Type
The categories of attacks to detect. Use the default configuration (all types selected). For more information about each type, see Attack types and protection recommendations.
NoteChanges to Protection Settings can take up to 30 seconds to propagate.
-
Remove an application
Onboarded via Application Monitoring
To remove an application that was onboarded during integration with Application Monitoring:
-
For applications in an ACK cluster:
Remove the
armsSecAutoEnable: "on"tag. -
For applications in other environments:
Remove the
-Darms.appsec.enable=truestartup parameter.
Onboarded from the console
To remove an application that was onboarded from the console, go to the page. In the Actions column of the target application, click Remove, and then click Confirm in the confirmation dialog box. After the operation is complete, you must restart the application's instances to fully remove it from Application Security.
Removing an application solely for performance reasons is not recommended. After onboarding, an application runs in Monitor mode by default, which only reports attack alerts without blocking—this does not affect runtime performance. To turn off all detection, switch to Disable mode instead.