Agent skill

spring-boot-security

Spring Security 7 implementation for Spring Boot 4. Use when configuring authentication, authorization, OAuth2/JWT resource servers, method security, or CORS/CSRF. Covers the mandatory Lambda DSL migration, SecurityFilterChain patterns, @PreAuthorize, and password encoding. For testing secured endpoints, see spring-boot-testing skill.

View SKILL.md on GitHub Repository
Stars 9
Forks 1

Install this agent skill to your Project

npx add-skill https://github.com/joaquimscosta/arkhe-claude-plugins/tree/main/plugins/spring-boot/skills/spring-boot-security

SKILL.md

Spring Security 7 for Spring Boot 4

Implements authentication and authorization with Spring Security 7's mandatory Lambda DSL.

Critical Breaking Changes

Removed API Replacement Status
and() method Lambda DSL closures Required
authorizeRequests() authorizeHttpRequests() Required
antMatchers() requestMatchers() Required
WebSecurityConfigurerAdapter SecurityFilterChain bean Required
@EnableGlobalMethodSecurity @EnableMethodSecurity Required

Core Workflow

  1. Create SecurityFilterChain → 2. Define authorization → 3. Configure authentication → 4. Add method security → 5. Handle CORS/CSRF

See WORKFLOW.md for detailed step-by-step instructions with code examples.

Quick Patterns

See EXAMPLES.md for complete working examples including:

  • REST API Security with JWT/OAuth2 (Java + Kotlin)
  • Form Login with Session Security and CSRF
  • Method Security with @PreAuthorize and SpEL
  • CORS Configuration for cross-origin APIs
  • Password Encoder (Argon2 for Security 7)

Spring Boot 4 Specifics

  • Lambda DSL is mandatory (no and() chaining)
  • Argon2 password encoder: Argon2PasswordEncoder.defaultsForSpring7()
  • CSRF for SPAs: CookieCsrfTokenRepository.withHttpOnlyFalse()
  • @EnableMethodSecurity replaces @EnableGlobalMethodSecurity

Detailed References

  • Workflow: See WORKFLOW.md for detailed step-by-step security configuration
  • Examples: See EXAMPLES.md for complete working code examples
  • Troubleshooting: See TROUBLESHOOTING.md for common issues and Boot 4 migration
  • Security Configuration: See references/SECURITY-CONFIG.md for complete SecurityFilterChain patterns
  • Authentication: See references/AUTHENTICATION.md for UserDetailsService, password encoding
  • JWT/OAuth2: See references/JWT-OAUTH2.md for resource server, token validation

Related Skills

Need Skill
Testing secured endpoints spring-boot-testing
Actuator endpoint security spring-boot-observability
Dependency verification spring-boot-verify

Anti-Pattern Checklist

Anti-Pattern Fix
Using and() chaining Use Lambda DSL closures
antMatchers() Replace with requestMatchers()
authorizeRequests() Replace with authorizeHttpRequests()
CSRF disabled without JWT Keep CSRF for session-based auth
Hardcoded credentials Use environment variables or Secret Manager
permitAll() on sensitive endpoints Audit all permit rules
Missing authenticated() default End with .anyRequest().authenticated()

Critical Reminders

  1. Lambda DSL is mandatory — No more and() chaining in Security 7
  2. Order matters — More specific requestMatchers before general ones
  3. CSRF for sessions — Only disable for stateless JWT APIs
  4. Method security needs enabling — Add @EnableMethodSecurity
  5. Test security configuration — Use @WithMockUser and JWT test support (see spring-boot-testing)

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

joaquimscosta/arkhe-claude-plugins

Skill Name

What this skill does. Use when user mentions "keyword1", "keyword2", or "keyword3". Keep under 1,024 characters and include specific trigger keywords.

9 1
Explore
joaquimscosta/arkhe-claude-plugins

plugin-release-checker

9 1
Explore
joaquimscosta/arkhe-claude-plugins

skill-validator

Validate skills against Anthropic best practices for frontmatter, structure, content, file organization, hooks, MCP, and security (62 rules in 8 categories). Use when creating new skills, updating existing skills, before publishing skills, reviewing skill quality, or when user mentions "validate skill", "check skill", "skill best practices", "skill review", or "lint skill".

9 1
Explore
joaquimscosta/arkhe-claude-plugins

sync-docs

Sync official Anthropic documentation and analyze impact on project components. Runs docs/reference/update-claude-docs.sh, computes diffs, and reports impacts on the skill validator, plugins, and project documentation. Use when user mentions "sync docs", "update reference docs", "refresh docs", or "check doc changes".

9 1
Explore
joaquimscosta/arkhe-claude-plugins

research-frontmatter

Enforce standard YAML frontmatter on research documents in docs/research/. Use when creating, editing, or promoting research files, when user mentions "research metadata", "research frontmatter", or "research staleness".

9 1
Explore
joaquimscosta/arkhe-claude-plugins

deep-research

Deep research on technical topics using EXA tools with intelligent two-tier caching. Use when user asks to research a topic, investigate best practices, look up information, find patterns, or explore architectures. Also invoked by /research command. Triggers: "research", "look up", "investigate", "deep dive", "find information about", "what are best practices for", "how do others implement".

9 1
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results