spring-boot-security
$
npx mdskill add HoangNguyen0403/agent-skills-standard/spring-boot-security- **Lambda DSL**: ALWAYS use Lambda DSL. - **SecurityFilterChain**: Expose as `@Bean`. not extend `WebSecurityConfigurerAdapter`. - **Statelessness**: Enforce `SessionCreationPolicy.STATELESS` for REST APIs.
SKILL.md
.github/skills/spring-boot-securityView on GitHub ↗
---
name: spring-boot-security
description: Configure Spring Security 6+ with Lambda DSL, JWT, and hardening rules. Use when configuring Spring Security 6+, OAuth2, JWT, or security hardening in Spring Boot.
metadata:
triggers:
files:
- '**/*SecurityConfig.java'
- '**/*Filter.java'
keywords:
- security-filter-chain
- lambda-dsl
- csrf
- cors
---
# Spring Boot Security Standards
## **Priority: P0 (CRITICAL)**
## Configure SecurityFilterChain
- **Lambda DSL**: ALWAYS use Lambda DSL.
- **SecurityFilterChain**: Expose as `@Bean`. not extend `WebSecurityConfigurerAdapter`.
- **Statelessness**: Enforce `SessionCreationPolicy.STATELESS` for REST APIs.
See [implementation examples](references/implementation.md) for SecurityFilterChain configuration with Lambda DSL and JWT.
## Implement Authentication and Authorization
- **Authentication**: Validation of credentials (Who you?). Use `AuthenticationManager` or `JwtDecoder`.
- **Authorization**: Verification of access rights (Can you this?). Use `@PreAuthorize`.
## Secure JWT Tokens
- **Algorithm**: Enforce `RS256` or `HS256`. **Reject `none` algorithm**.
- **Claims**: Validate `iss`, `aud`, and `exp`.
- **Tokens**: Short-lived access tokens (15m), secure refresh tokens (httpOnly cookie).
## Hardening Checklist
- [ ] **CSRF**: Disabled for pure APIs? Enabled + Cookie for Browser Apps?
- [ ] **CORS**: Specific origins permitted? No `*` with credentials?
- [ ] **Headers**: HSTS, Content-Type-Options, X-Frame-Options enabled?
- [ ] **Secrets**: No hardcoded keys? Loaded from Vault/Env?
- [ ] **Rate Limiting**: Applied on login/expensive endpoints?
- [ ] **Dependencies**: Scanned for CVEs?
## Anti-Patterns
- **No Adapter**: Use `SecurityFilterChain` bean instead of extending legacy classes.
- **No .and()**: Use Lambda DSL for configuration.
- **No Secrets**: Load from Vault or Environment variables (never git).
- **No antMatchers**: Use `requestMatchers` (Spring Security 6+).
## References
- [Implementation Examples](references/implementation.md)
- common/security-standards
- architectureMore from HoangNguyen0403/agent-skills-standard
- android-agp-upgradeUpgrade an Android project to Android Gradle Plugin (AGP) 9. Use when migrating to AGP 9, updating Gradle build files, migrating to built-in Kotlin, or adopting the new AGP DSL.
- android-architectureApply Clean Architecture layering, modularization, and Unidirectional Data Flow in Android projects. Use when setting up project structure, placing code in layers, configuring feature/core modules, or implementing UDF patterns.
- android-background-workImplement WorkManager and background processing correctly on Android. Use when creating Worker classes, scheduling tasks, choosing between WorkManager and Foreground Services, or setting up Hilt in workers.
- android-composeBuild high-performance declarative UI with Jetpack Compose. Use when writing Composable functions, optimizing recomposition, hoisting state, or working with LazyColumn and side effects.
- android-compose-migrationMigrate an Android XML View to Jetpack Compose following a structured 10-step workflow. Use when converting XML layouts to Compose, setting up Compose in an existing View-based project, or incrementally adopting Compose.
- android-concurrencyWrite correct coroutine scopes, Flow collection, and dispatcher injection in Android. Use when writing suspend functions, choosing between StateFlow and SharedFlow, or injecting Dispatchers for testability.
- android-deploymentConfigure release signing, R8 obfuscation, and App Bundle publishing for Android. Use when setting up signing configs, enabling minification, adding ProGuard keep rules, or preparing for Play Store submission.
- android-design-systemEnforce Material Design 3 theming and design token usage in Jetpack Compose. Use when implementing M3 components, color schemes, typography, or design tokens.
- android-diConfigure Hilt dependency injection with proper scoping, modules, and constructor injection in Android. Use when setting up Hilt DI, defining modules, or configuring component scoping.
- android-edge-to-edgeMigrate a Jetpack Compose app to edge-to-edge display and fix system bar inset issues. Use when UI components are obscured by navigation/status bars, fixing IME insets, or enabling edge-to-edge for SDK 35+.