AgentSkillsCN

spring-boot-security

Spring Security 7实施,用于Spring Boot 4。当配置认证、授权、OAuth2/JWT资源服务器、方法安全,或CORS/CSRF时,就使用此技能。涵盖强制性的Lambda DSL迁移、SecurityFilterChain模式、@PreAuthorize与密码编码。有关测试安全端点,请参阅spring-boot-testing技能。

SKILL.md
--- frontmatter
name: spring-boot-security
description: Spring Security 7 implementation for Spring Boot 4. Use when configuring authentication, authorization, OAuth2/JWT resource servers, method security, or CORS/CSRF. Covers the mandatory Lambda DSL migration, SecurityFilterChain patterns, @PreAuthorize, and password encoding. For testing secured endpoints, see spring-boot-testing skill.
spring-boot-version: "4.0"

Spring Security 7 for Spring Boot 4

Implements authentication and authorization with Spring Security 7's mandatory Lambda DSL.

Critical Breaking Changes

Removed APIReplacementStatus
and() methodLambda DSL closuresRequired
authorizeRequests()authorizeHttpRequests()Required
antMatchers()requestMatchers()Required
WebSecurityConfigurerAdapterSecurityFilterChain beanRequired
@EnableGlobalMethodSecurity@EnableMethodSecurityRequired

Core Workflow

  1. Create SecurityFilterChain → 2. Define authorization → 3. Configure authentication → 4. Add method security → 5. Handle CORS/CSRF

See WORKFLOW.md for detailed step-by-step instructions with code examples.

Quick Patterns

See EXAMPLES.md for complete working examples including:

  • REST API Security with JWT/OAuth2 (Java + Kotlin)
  • Form Login with Session Security and CSRF
  • Method Security with @PreAuthorize and SpEL
  • CORS Configuration for cross-origin APIs
  • Password Encoder (Argon2 for Security 7)

Spring Boot 4 Specifics

  • Lambda DSL is mandatory (no and() chaining)
  • Argon2 password encoder: Argon2PasswordEncoder.defaultsForSpring7()
  • CSRF for SPAs: CookieCsrfTokenRepository.withHttpOnlyFalse()
  • @EnableMethodSecurity replaces @EnableGlobalMethodSecurity

Detailed References

Related Skills

NeedSkill
Testing secured endpointsspring-boot-testing
Actuator endpoint securityspring-boot-observability
Dependency verificationspring-boot-verify

Anti-Pattern Checklist

Anti-PatternFix
Using and() chainingUse Lambda DSL closures
antMatchers()Replace with requestMatchers()
authorizeRequests()Replace with authorizeHttpRequests()
CSRF disabled without JWTKeep CSRF for session-based auth
Hardcoded credentialsUse environment variables or Secret Manager
permitAll() on sensitive endpointsAudit all permit rules
Missing authenticated() defaultEnd with .anyRequest().authenticated()

Critical Reminders

  1. Lambda DSL is mandatory — No more and() chaining in Security 7
  2. Order matters — More specific requestMatchers before general ones
  3. CSRF for sessions — Only disable for stateless JWT APIs
  4. Method security needs enabling — Add @EnableMethodSecurity
  5. Test security configuration — Use @WithMockUser and JWT test support (see spring-boot-testing)