Spring Security 7 for Spring Boot 4
Implements authentication and authorization with Spring Security 7's mandatory Lambda DSL.
Critical Breaking Changes
| Removed API | Replacement | Status |
|---|---|---|
and() method | Lambda DSL closures | Required |
authorizeRequests() | authorizeHttpRequests() | Required |
antMatchers() | requestMatchers() | Required |
WebSecurityConfigurerAdapter | SecurityFilterChain bean | Required |
@EnableGlobalMethodSecurity | @EnableMethodSecurity | Required |
Core Workflow
- •Create SecurityFilterChain → 2. Define authorization → 3. Configure authentication → 4. Add method security → 5. Handle CORS/CSRF
See WORKFLOW.md for detailed step-by-step instructions with code examples.
Quick Patterns
See EXAMPLES.md for complete working examples including:
- •REST API Security with JWT/OAuth2 (Java + Kotlin)
- •Form Login with Session Security and CSRF
- •Method Security with @PreAuthorize and SpEL
- •CORS Configuration for cross-origin APIs
- •Password Encoder (Argon2 for Security 7)
Spring Boot 4 Specifics
- •Lambda DSL is mandatory (no
and()chaining) - •Argon2 password encoder:
Argon2PasswordEncoder.defaultsForSpring7() - •CSRF for SPAs:
CookieCsrfTokenRepository.withHttpOnlyFalse() - •@EnableMethodSecurity replaces
@EnableGlobalMethodSecurity
Detailed References
- •Workflow: See WORKFLOW.md for detailed step-by-step security configuration
- •Examples: See EXAMPLES.md for complete working code examples
- •Troubleshooting: See TROUBLESHOOTING.md for common issues and Boot 4 migration
- •Security Configuration: See references/SECURITY-CONFIG.md for complete SecurityFilterChain patterns
- •Authentication: See references/AUTHENTICATION.md for UserDetailsService, password encoding
- •JWT/OAuth2: See references/JWT-OAUTH2.md for resource server, token validation
Related Skills
| Need | Skill |
|---|---|
| Testing secured endpoints | spring-boot-testing |
| Actuator endpoint security | spring-boot-observability |
| Dependency verification | spring-boot-verify |
Anti-Pattern Checklist
| Anti-Pattern | Fix |
|---|---|
Using and() chaining | Use Lambda DSL closures |
antMatchers() | Replace with requestMatchers() |
authorizeRequests() | Replace with authorizeHttpRequests() |
| CSRF disabled without JWT | Keep CSRF for session-based auth |
| Hardcoded credentials | Use environment variables or Secret Manager |
permitAll() on sensitive endpoints | Audit all permit rules |
Missing authenticated() default | End with .anyRequest().authenticated() |
Critical Reminders
- •Lambda DSL is mandatory — No more
and()chaining in Security 7 - •Order matters — More specific
requestMatchersbefore general ones - •CSRF for sessions — Only disable for stateless JWT APIs
- •Method security needs enabling — Add
@EnableMethodSecurity - •Test security configuration — Use
@WithMockUserand JWT test support (seespring-boot-testing)