Agent-Skills.md

Agent Skills: Spring Boot Security Standards

Configure Spring Security 6+ with Lambda DSL, JWT, and hardening rules. Use when configuring Spring Security 6+, OAuth2, JWT, or security hardening in Spring Boot. (triggers: **/*SecurityConfig.java, **/*Filter.java, security-filter-chain, lambda-dsl, csrf, cors)

UncategorizedID: hoangnguyen0403/agent-skills-standard/spring-boot-security

Repository

hoangnguyen0403/agent-skills-standard
HoangNguyen0403License: Apache-2.0
362103

Install this agent skill to your local

pnpm dlx add-skill https://github.com/HoangNguyen0403/agent-skills-standard/tree/HEAD/skills/spring-boot/spring-boot-security

Skill Files

Browse the full folder contents for spring-boot-security.

Download Skill

Loading file tree…

skills/spring-boot/spring-boot-security/SKILL.md

Skill Metadata

Name
spring-boot-security
Description
"Configure Spring Security 6+ with Lambda DSL, JWT, and hardening rules. Use when configuring Spring Security 6+, OAuth2, JWT, or security hardening in Spring Boot. (triggers: **/*SecurityConfig.java, **/*Filter.java, security-filter-chain, lambda-dsl, csrf, cors)"

Spring Boot Security Standards

Priority: P0 (CRITICAL)

Configure SecurityFilterChain

  • Lambda DSL: ALWAYS use Lambda DSL.
  • SecurityFilterChain: Expose as @Bean. Do not extend WebSecurityConfigurerAdapter.
  • Statelessness: Enforce SessionCreationPolicy.STATELESS for REST APIs.

See implementation examples for SecurityFilterChain configuration with Lambda DSL and JWT.

Implement Authentication and Authorization

  • Authentication: Validation of credentials (Who are you?). Use AuthenticationManager or JwtDecoder.
  • Authorization: Verification of access rights (Can you do this?). Use @PreAuthorize.

Secure JWT Tokens

  • Algorithm: Enforce RS256 or HS256. Reject none algorithm.
  • Claims: Validate iss, aud, and exp.
  • Tokens: Short-lived access tokens (15m), secure refresh tokens (httpOnly cookie).

Hardening Checklist

  • [ ] CSRF: Disabled for pure APIs? Enabled + Cookie for Browser Apps?
  • [ ] CORS: Specific origins permitted? No * with credentials?
  • [ ] Headers: HSTS, Content-Type-Options, X-Frame-Options enabled?
  • [ ] Secrets: No hardcoded keys? Loaded from Vault/Env?
  • [ ] Rate Limiting: Applied on login/expensive endpoints?
  • [ ] Dependencies: Scanned for CVEs?

Anti-Patterns

  • No Adapter: Use SecurityFilterChain bean instead of extending legacy classes.
  • No .and(): Use Lambda DSL for configuration.
  • No Secrets: Load from Vault or Environment variables (never git).
  • No antMatchers: Use requestMatchers (Spring Security 6+).

References