Skill

spring-boot-security

Configures Spring Security 7 authentication, authorization, OAuth2/JWT resource servers, method security, CORS/CSRF for Spring Boot 4. Covers Lambda DSL migration, SecurityFilterChain, @PreAuthorize, password encoding.

Spring Boot

Java

Kotlin

security

authentication

npx claudepluginhub joaquimscosta/arkhe-claude-plugins --plugin spring-boot

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Implements authentication and authorization with Spring Security 7's mandatory Lambda DSL.

Supporting Assets

EXAMPLES.mdTROUBLESHOOTING.mdWORKFLOW.mdreferences/AUTHENTICATION.mdreferences/JWT-OAUTH2.mdreferences/SECURITY-CONFIG.md

SKILL.md

Similar Skills

spring-security

328

Guides Spring Security implementation for authentication, authorization, OAuth2, JWT, CORS, CSRF in Spring Boot applications.

1 file

partme-ai-full-stack-skills

spring-security-configuration

Creates Spring Security @Configuration class with filterChain for authentication, authorization, and HTTP protection. Use for REST APIs, OAuth2/OIDC login, or JWT resource servers.

20 files

amplicode-spring-skills

spring-boot-security-jwt

174

Implements JWT authentication and authorization patterns for Spring Boot 3.5.x using Spring Security 6.x and JJWT: token generation, Bearer/cookie auth, refresh tokens, OAuth2 integration, RBAC permissions. Use for securing REST APIs.

19 files6 tools

developer-kit-java

Stats

Parent Repo Stars10

Parent Repo Forks1

Last CommitMar 26, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Spring Security 7 for Spring Boot 4

Implements authentication and authorization with Spring Security 7's mandatory Lambda DSL.

Critical Breaking Changes

Removed API	Replacement	Status
`and()` method	Lambda DSL closures	Required
`authorizeRequests()`	`authorizeHttpRequests()`	Required
`antMatchers()`	`requestMatchers()`	Required
`WebSecurityConfigurerAdapter`	`SecurityFilterChain` bean	Required
`@EnableGlobalMethodSecurity`	`@EnableMethodSecurity`	Required

Core Workflow

Create SecurityFilterChain → 2. Define authorization → 3. Configure authentication → 4. Add method security → 5. Handle CORS/CSRF

See WORKFLOW.md for detailed step-by-step instructions with code examples.

Quick Patterns

See EXAMPLES.md for complete working examples including:

REST API Security with JWT/OAuth2 (Java + Kotlin)
Form Login with Session Security and CSRF
Method Security with @PreAuthorize and SpEL
CORS Configuration for cross-origin APIs
Password Encoder (Argon2 for Security 7)

Spring Boot 4 Specifics

Lambda DSL is mandatory (no and() chaining)
Argon2 password encoder: Argon2PasswordEncoder.defaultsForSpring7()
CSRF for SPAs: CookieCsrfTokenRepository.withHttpOnlyFalse()
@EnableMethodSecurity replaces @EnableGlobalMethodSecurity

Detailed References

Workflow: See WORKFLOW.md for detailed step-by-step security configuration
Examples: See EXAMPLES.md for complete working code examples
Troubleshooting: See TROUBLESHOOTING.md for common issues and Boot 4 migration
Security Configuration: See references/SECURITY-CONFIG.md for complete SecurityFilterChain patterns
Authentication: See references/AUTHENTICATION.md for UserDetailsService, password encoding
JWT/OAuth2: See references/JWT-OAUTH2.md for resource server, token validation

Related Skills

Need	Skill
Testing secured endpoints	`spring-boot-testing`
Actuator endpoint security	`spring-boot-observability`
Dependency verification	`spring-boot-verify`

Anti-Pattern Checklist

Anti-Pattern	Fix
Using `and()` chaining	Use Lambda DSL closures
`antMatchers()`	Replace with `requestMatchers()`
`authorizeRequests()`	Replace with `authorizeHttpRequests()`
CSRF disabled without JWT	Keep CSRF for session-based auth
Hardcoded credentials	Use environment variables or Secret Manager
`permitAll()` on sensitive endpoints	Audit all permit rules
Missing `authenticated()` default	End with `.anyRequest().authenticated()`

Critical Reminders

Lambda DSL is mandatory — No more and() chaining in Security 7
Order matters — More specific requestMatchers before general ones
CSRF for sessions — Only disable for stateless JWT APIs
Method security needs enabling — Add @EnableMethodSecurity
Test security configuration — Use @WithMockUser and JWT test support (see spring-boot-testing)