spring-boot-security
Configure Spring Security 6+ with Lambda DSL, JWT, and hardening rules. Use when configuring Spring Security 6+, OAuth2, JWT, or security hardening in Spring Boot. (triggers: **/*SecurityConfig.java, **/*Filter.java, security-filter-chain, lambda-dsl, csrf, cors)
Best use case
spring-boot-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Configure Spring Security 6+ with Lambda DSL, JWT, and hardening rules. Use when configuring Spring Security 6+, OAuth2, JWT, or security hardening in Spring Boot. (triggers: **/*SecurityConfig.java, **/*Filter.java, security-filter-chain, lambda-dsl, csrf, cors)
Teams using spring-boot-security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/spring-boot-security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How spring-boot-security Compares
| Feature / Agent | spring-boot-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Configure Spring Security 6+ with Lambda DSL, JWT, and hardening rules. Use when configuring Spring Security 6+, OAuth2, JWT, or security hardening in Spring Boot. (triggers: **/*SecurityConfig.java, **/*Filter.java, security-filter-chain, lambda-dsl, csrf, cors)
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Spring Boot Security Standards ## **Priority: P0 (CRITICAL)** ## Configure SecurityFilterChain - **Lambda DSL**: ALWAYS use Lambda DSL. - **SecurityFilterChain**: Expose as `@Bean`. Do not extend `WebSecurityConfigurerAdapter`. - **Statelessness**: Enforce `SessionCreationPolicy.STATELESS` for REST APIs. See [implementation examples](references/implementation.md) for SecurityFilterChain configuration with Lambda DSL and JWT. ## Implement Authentication and Authorization - **Authentication**: Validation of credentials (Who are you?). Use `AuthenticationManager` or `JwtDecoder`. - **Authorization**: Verification of access rights (Can you do this?). Use `@PreAuthorize`. ## Secure JWT Tokens - **Algorithm**: Enforce `RS256` or `HS256`. **Reject `none` algorithm**. - **Claims**: Validate `iss`, `aud`, and `exp`. - **Tokens**: Short-lived access tokens (15m), secure refresh tokens (httpOnly cookie). ## Hardening Checklist - [ ] **CSRF**: Disabled for pure APIs? Enabled + Cookie for Browser Apps? - [ ] **CORS**: Specific origins permitted? No `*` with credentials? - [ ] **Headers**: HSTS, Content-Type-Options, X-Frame-Options enabled? - [ ] **Secrets**: No hardcoded keys? Loaded from Vault/Env? - [ ] **Rate Limiting**: Applied on login/expensive endpoints? - [ ] **Dependencies**: Scanned for CVEs? ## Anti-Patterns - **No Adapter**: Use `SecurityFilterChain` bean instead of extending legacy classes. - **No .and()**: Use Lambda DSL for configuration. - **No Secrets**: Load from Vault or Environment variables (never git). - **No antMatchers**: Use `requestMatchers` (Spring Security 6+). ## References - [Implementation Examples](references/implementation.md) - common/security-standards - architecture
Related Skills
spring-boot-testing
Write unit, integration, and slice tests for Spring Boot 3 applications. Use when writing unit tests, integration tests, or slice tests for Spring Boot 3 applications. (triggers: **/*Test.java, webmvctest, datajpatest, testcontainers, assertj)
spring-boot-scheduling
Configure scheduled tasks and distributed locking with ShedLock in Spring Boot. Use when implementing @Scheduled tasks or distributed locking with ShedLock in Spring Boot. (triggers: **/*Scheduler.java, **/*Job.java, scheduled, shedlock, cron)
spring-boot-observability
Instrument Spring Boot with Micrometer metrics, distributed tracing, and structured logging. Use when adding Micrometer metrics, distributed tracing, or structured logging to Spring Boot. (triggers: logback-spring.xml, application.properties, micrometer, tracing, correlation-id, mdc)
spring-boot-microservices
Standards for Feign clients and asynchronous messaging with Spring Cloud Stream. Use when implementing Feign HTTP clients or async event messaging in Spring Boot microservices. (triggers: **/*Client.java, **/*Consumer.java, feign-client, spring-cloud-stream, rabbitmq, resilience4j)
spring-boot-deployment
Deploy Spring Boot apps with Docker, GraalVM native images, and graceful shutdown. Use when deploying Spring Boot apps as GraalVM native images, containers, or configuring shutdown. (triggers: Dockerfile, compose.yml, docker-layer, native-image, graceful-shutdown)
spring-boot-data-access
Optimize JPA, Hibernate, and database interactions in Spring Boot. Use when implementing JPA entities, repositories, or database access in Spring Boot. (triggers: **/*Repository.java, **/*Entity.java, jpa-repository, entity-graph, transactional, n-plus-1)
spring-boot-best-practices
Apply core coding standards, dependency injection, and configuration for Spring Boot 3. Use when applying Spring Boot 3 coding standards or configuring dependency injection. (triggers: application.properties, **/*Service.java, autowired, requiredargsconstructor, configuration-properties, slf4j)
spring-boot-architecture
Structure Spring Boot 3+ projects with feature packaging and clean layering. Use when structuring Spring Boot 3 projects, defining layers, or applying architecture patterns. (triggers: pom.xml, build.gradle, structure, layering, dto, controller, @RestController, @Service, @Repository, @Entity, @Bean, @Configuration)
spring-boot-api-design
Design Spring Boot APIs with OpenAPI, Versioning, and Global Error Handling. Use when designing Spring Boot APIs with OpenAPI specs, versioning, or global error handling. (triggers: **/*Controller.java, openapi, swagger, versioning, problemdetails)
react-security
Prevent XSS, secure auth flows, and harden React client-side applications. Use when preventing XSS, securing auth flows, or auditing third-party dependencies in React. (triggers: **/*.tsx, **/*.jsx, dangerouslySetInnerHTML, token, auth, xss)
react-native-security
Secure storage, network traffic, and deep links in React Native mobile apps. Use when implementing secure storage, certificate pinning, or deep link validation in React Native. (triggers: **/*.tsx, **/*.ts, security, keychain, secure-storage, deep-link, certificate-pinning)
php-security
PHP security standards for database access, password handling, and input validation. Use when securing PHP apps against SQL injection, XSS, or weak password storage. (triggers: **/*.php, pdo, password_hash, htmlentities, filter_var)