spring-boot-security

$npx mdskill add HoangNguyen0403/agent-skills-standard/spring-boot-security

- **Lambda DSL**: ALWAYS use Lambda DSL. - **SecurityFilterChain**: Expose as `@Bean`. not extend `WebSecurityConfigurerAdapter`. - **Statelessness**: Enforce `SessionCreationPolicy.STATELESS` for REST APIs.

SKILL.md

.github/skills/spring-boot-securityView on GitHub ↗
---
name: spring-boot-security
description: Configure Spring Security 6+ with Lambda DSL, JWT, and hardening rules. Use when configuring Spring Security 6+, OAuth2, JWT, or security hardening in Spring Boot.
metadata:
  triggers:
    files:
    - '**/*SecurityConfig.java'
    - '**/*Filter.java'
    keywords:
    - security-filter-chain
    - lambda-dsl
    - csrf
    - cors
---
# Spring Boot Security Standards

## **Priority: P0 (CRITICAL)**

## Configure SecurityFilterChain

- **Lambda DSL**: ALWAYS use Lambda DSL.
- **SecurityFilterChain**: Expose as `@Bean`. not extend `WebSecurityConfigurerAdapter`.
- **Statelessness**: Enforce `SessionCreationPolicy.STATELESS` for REST APIs.

See [implementation examples](references/implementation.md) for SecurityFilterChain configuration with Lambda DSL and JWT.

## Implement Authentication and Authorization

- **Authentication**: Validation of credentials (Who you?). Use `AuthenticationManager` or `JwtDecoder`.
- **Authorization**: Verification of access rights (Can you this?). Use `@PreAuthorize`.

## Secure JWT Tokens

- **Algorithm**: Enforce `RS256` or `HS256`. **Reject `none` algorithm**.
- **Claims**: Validate `iss`, `aud`, and `exp`.
- **Tokens**: Short-lived access tokens (15m), secure refresh tokens (httpOnly cookie).

## Hardening Checklist

- [ ] **CSRF**: Disabled for pure APIs? Enabled + Cookie for Browser Apps?
- [ ] **CORS**: Specific origins permitted? No `*` with credentials?
- [ ] **Headers**: HSTS, Content-Type-Options, X-Frame-Options enabled?
- [ ] **Secrets**: No hardcoded keys? Loaded from Vault/Env?
- [ ] **Rate Limiting**: Applied on login/expensive endpoints?
- [ ] **Dependencies**: Scanned for CVEs?

## Anti-Patterns

- **No Adapter**: Use `SecurityFilterChain` bean instead of extending legacy classes.
- **No .and()**: Use Lambda DSL for configuration.
- **No Secrets**: Load from Vault or Environment variables (never git).
- **No antMatchers**: Use `requestMatchers` (Spring Security 6+).

## References

- [Implementation Examples](references/implementation.md)
- common/security-standards
- architecture

More from HoangNguyen0403/agent-skills-standard

SkillDescription
android-agp-upgradeUpgrade an Android project to Android Gradle Plugin (AGP) 9. Use when migrating to AGP 9, updating Gradle build files, migrating to built-in Kotlin, or adopting the new AGP DSL.
android-architectureApply Clean Architecture layering, modularization, and Unidirectional Data Flow in Android projects. Use when setting up project structure, placing code in layers, configuring feature/core modules, or implementing UDF patterns.
android-background-workImplement WorkManager and background processing correctly on Android. Use when creating Worker classes, scheduling tasks, choosing between WorkManager and Foreground Services, or setting up Hilt in workers.
android-composeBuild high-performance declarative UI with Jetpack Compose. Use when writing Composable functions, optimizing recomposition, hoisting state, or working with LazyColumn and side effects.
android-compose-migrationMigrate an Android XML View to Jetpack Compose following a structured 10-step workflow. Use when converting XML layouts to Compose, setting up Compose in an existing View-based project, or incrementally adopting Compose.
android-concurrencyWrite correct coroutine scopes, Flow collection, and dispatcher injection in Android. Use when writing suspend functions, choosing between StateFlow and SharedFlow, or injecting Dispatchers for testability.
android-deploymentConfigure release signing, R8 obfuscation, and App Bundle publishing for Android. Use when setting up signing configs, enabling minification, adding ProGuard keep rules, or preparing for Play Store submission.
android-design-systemEnforce Material Design 3 theming and design token usage in Jetpack Compose. Use when implementing M3 components, color schemes, typography, or design tokens.
android-diConfigure Hilt dependency injection with proper scoping, modules, and constructor injection in Android. Use when setting up Hilt DI, defining modules, or configuring component scoping.
android-edge-to-edgeMigrate a Jetpack Compose app to edge-to-edge display and fix system bar inset issues. Use when UI components are obscured by navigation/status bars, fixing IME insets, or enabling edge-to-edge for SDK 35+.