Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.
Get started with mocking and improve your application tests using our Mockito guide:
Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.
Get started with understanding multi-threaded applications with our Java Concurrency guide:
Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:
Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.
But these can also be overused and fall into some common pitfalls.
To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:
Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:
Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.
I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.
You can explore the course here:
Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.
Get started with Spring Data JPA through the guided reference course:
Refactor Java code safely — and automatically — with OpenRewrite.
Refactoring big codebases by hand is slow, risky, and easy to put off. That’s where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.
Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions — one for newcomers and one for experienced users. You’ll see how recipes work, how to apply them across projects, and how to modernize code with confidence.
Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.
In distributed systems, managing multi-step processes (e.g., validating a driver, calculating fares, notifying users) can be difficult. We need to manage state, scattered retry logic, and maintain context when services fail.
Dapr Workflows solves this via Durable Execution which includes automatic state persistence, replaying workflows after failures and built-in resilience through retries, timeouts and error handling.
In this tutorial, we'll see how to orchestrate a multi-step flow for a ride-hailing application by integrating Dapr Workflows and Spring Boot:
1. Introduction
JDK 24 delivers key security upgrades, hardening cryptography, PKI, and TLS. In this article, we go in-depth into the Security improvements that the JDK 24 release of Java brings.
2. Post-Quantum Cryptography
With the increase in quantum computers, there is a looming threat to cryptography. Quantum computers will eventually be powerful enough to break current encryption standards. To stay ahead, we are integrating algorithms that even quantum processors can’t crack. Shor’s algorithm factors large primes exponentially faster, thereby shattering RSA, ECC, and Diffie-Hellman public-key systems used in TLS handshakes and signatures.
JDK 24 brings a plethora of post-quantum cryptographic security improvements with JEP 496, JEP 497, and JEP 478.
2.1. JEP 496: ML-KEM Key Encapsulation Mechanism
With JEP 496, Java has added a quantum-resistant key encapsulation mechanism (ML-KEM) to JDK 24. This is a lattice-based key encapsulation mechanism. It allows us to establish shared keys over an insecure channel securely. By implementing this now, we ensure our communication remains private even in a post-quantum world.
It brings new KeyPairGenerator, KEM, and KeyFactory APIs with multiple parameter sets (ML-KEM-512/-768/-1024), which are designed to withstand future quantum attacks that would break RSA/DH-style key exchange.
2.2. JEP 497: ML-DSA Digital Signature Algorithm
Let’s talk about JEP 497, which focuses on digital signatures. Java 24 has added ML-DSA, a standard for verifying the authenticity and integrity of data. When we sign our code or documents with ML-DSA, we can trust that they haven’t been tampered with by future quantum attackers.
To use it, we will work with the KeyPairGenerator and Signature APIs using the new algorithm name “ML-DSA”. We can also choose specific security strengths.
2.3. JEP 478: Key Derivation Function (KDF) API
Java introduced a new KDF API via JEP 478. This provides a unified way for us to derive cryptographic keys from secret material. It supports modern algorithms like HKDF and is designed to be extensible. We can now manage our keys more flexibly and securely across different protocols. Previously, we had to force KDFs into existing classes like SecretKeyFactory. Now, we have a clean, first-class javax.crypto.KDF class.
3. Core Cryptography Improvements
In this section, we’re looking at how JDK 24 polishes the core cryptographic engine. These updates aren’t just about new algorithms but about making the ones we already use faster, more standardised, and compatible with high-end hardware.
3.1. Standardised RSASSA-PSS Hash and MGF Names
With this update, we now have a clear, documented set of standard names for hash functions and Mask Generation Functions (MGF).
We can use the PSSParameterSpec and MGF1ParameterSpec classes to define these. For instance, we can now more explicitly point to SHA3-256 within an MGF1ParameterSpec using standardised string constants.
This keeps our security configurations consistent across different Java providers.
3.2. SHA-3 MessageDigest Performance Improvements
JDK 24 has optimised the SHA-3 implementation within the MessageDigest class. By leveraging modern CPU instructions, the update has significantly reduced the overhead for computing hashes.
Whether we are verifying file integrity or building digital signatures, the MessageDigest.getInstance(“SHA3-256”) call will now execute much more quickly on supported hardware.
3.3. PKCS#11 AES Ciphertext Stealing (CTS) Mode Support
AES-CTS (Advanced Encryption Standard with Ciphertext Stealing) is a symmetric encryption mode that allows data to be encrypted without requiring padding, keeping the ciphertext size identical to the plaintext.
This is fairly common on smartcards.
With the new Java 24 update, Hardware Security Modules (HSMs) or smartcards now have better support for AES-CTS via the SunPKCS11 provider.
This is critical for protocols like Kerberos that require “ciphertext stealing” to handle data that doesn’t fit perfectly into block sizes without adding extra padding.
We can configure this in our PKCS#11 configuration file using the new cipherTextStealingVariant attribute (choosing from CS1, CS2 or CS3). This allows Java to communicate perfectly with native hardware that expects these specific AES variants.
4. PKI and Trust Store Updates
JDK 24 brings essential updates to the default trust store and how we manage certificates to keep that foundation solid.
4.1. Curated Trust Store Updates
JDK 24 introduces an updated cacerts trust store, the pre-configured collection of root certificates from trusted Certificate Authorities (CAs). This release includes the addition of several new root certificates.
Simultaneously, with this Java 24 update, expired or distrusted certificates have been removed. This automated maintenance ensures we don’t accidentally trust outdated or compromised anchors.
4.2. Enhanced Disabling of Weak Algorithms
JDK 24 brings more granular control over which certificates we trust through pattern matching. A new mechanism allows us to disable TLS cipher suites or certificate types using wildcard syntax in the jdk.tls.disabledAlgorithms security property.
For example, we can now use TLS_RSA_* to broadly restrict legacy suites that lack forward secrecy.
This makes our configuration files much cleaner and easier to manage as security standards evolve.
5. Security Model Evolution
The most significant shift in the security model is the permanent disabling of the Security Manager (JEP 486). With this Java 24 update, we can no longer enable it at startup or install a custom one at runtime. This marks the end of the “sandbox” era for locally executed code. By removing this complex legacy layer, JDK 24 streamlines the internal security architecture, reducing maintenance overhead and improving performance for modern applications that rely on container-level or OS-level security instead.
Additionally, JDK 24 brings a stricter approach to native code. With JEP 472, the platform prepares to restrict the use of JNI (Java Native Interface). This pushes us toward the safer Foreign Function & Memory (FFM) API, ensuring that our native integrations are more transparent and better aligned with the platform’s long-term integrity goals.
6. Conclusion
In this article, we discussed how, by integrating Post-Quantum Cryptography through its JEPs, Java24 is preparing our systems today for the threats of tomorrow. We can now deploy ML-KEM and ML-DSA with the confidence that our encryption and signatures will withstand the arrival of quantum computing. Simultaneously, we have moved past legacy hurdles with this Java 24 update. The removal of the Security Manager and the shift toward restricted native access demonstrate a commitment to a leaner, more performant, and more transparent security model. Ultimately, these enhancements ensure that the Java ecosystem remains the gold standard for enterprise security.
