Agent skill
spring-boot-security
Spring Security 7 implementation for Spring Boot 4. Use when configuring authentication, authorization, OAuth2/JWT resource servers, method security, or CORS/CSRF. Covers the mandatory Lambda DSL migration, SecurityFilterChain patterns, @PreAuthorize, and password encoding. For testing secured endpoints, see spring-boot-testing skill.
Stars
163
Forks
31
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/security/spring-boot-security-joaquimscosta-arkhe-claude-plugins
SKILL.md
Spring Security 7 for Spring Boot 4
Implements authentication and authorization with Spring Security 7's mandatory Lambda DSL.
Critical Breaking Changes
| Removed API | Replacement | Status |
|---|---|---|
and() method |
Lambda DSL closures | Required |
authorizeRequests() |
authorizeHttpRequests() |
Required |
antMatchers() |
requestMatchers() |
Required |
WebSecurityConfigurerAdapter |
SecurityFilterChain bean |
Required |
@EnableGlobalMethodSecurity |
@EnableMethodSecurity |
Required |
Core Workflow
- Create SecurityFilterChain bean → Configure with Lambda DSL
- Define authorization rules →
authorizeHttpRequests()withrequestMatchers() - Configure authentication → Form login, HTTP Basic, or OAuth2
- Add method security →
@EnableMethodSecurity+@PreAuthorize - Handle CORS/CSRF → Configure for REST APIs
Quick Patterns
See EXAMPLES.md for complete working examples including:
- REST API Security with JWT/OAuth2 (Java + Kotlin)
- Form Login with Session Security and CSRF
- Method Security with @PreAuthorize and SpEL
- CORS Configuration for cross-origin APIs
- Password Encoder (Argon2 for Security 7)
Spring Boot 4 Specifics
- Lambda DSL is mandatory (no
and()chaining) - Argon2 password encoder:
Argon2PasswordEncoder.defaultsForSpring7() - CSRF for SPAs:
CookieCsrfTokenRepository.withHttpOnlyFalse() - @EnableMethodSecurity replaces
@EnableGlobalMethodSecurity
Detailed References
- Examples: See EXAMPLES.md for complete working code examples
- Troubleshooting: See TROUBLESHOOTING.md for common issues and Boot 4 migration
- Security Configuration: See references/security-config.md for complete SecurityFilterChain patterns
- Authentication: See references/authentication.md for UserDetailsService, password encoding
- JWT/OAuth2: See references/jwt-oauth2.md for resource server, token validation
Anti-Pattern Checklist
| Anti-Pattern | Fix |
|---|---|
Using and() chaining |
Use Lambda DSL closures |
antMatchers() |
Replace with requestMatchers() |
authorizeRequests() |
Replace with authorizeHttpRequests() |
| CSRF disabled without JWT | Keep CSRF for session-based auth |
| Hardcoded credentials | Use environment variables or Secret Manager |
permitAll() on sensitive endpoints |
Audit all permit rules |
Missing authenticated() default |
End with .anyRequest().authenticated() |
Critical Reminders
- Lambda DSL is mandatory — No more
and()chaining in Security 7 - Order matters — More specific
requestMatchersbefore general ones - CSRF for sessions — Only disable for stateless JWT APIs
- Method security needs enabling — Add
@EnableMethodSecurity - Test your security — Use
@WithMockUserand JWT test support (seespring-boot-testing)
Didn't find tool you were looking for?