AgentSkillsCN

security-expert

当用户要求“保护我的API”、“实现认证”、“配置Keycloak”、“添加授权”、“修复JWT问题”、“设置OAuth”、“审查安全”、“安全审计”、“渗透测试准备”、“防止SQL注入”、“修复XSS”、“CSRF防护”或处理JWT令牌、OAuth 2.0/OIDC流程、Spring Security、ABAC/RBAC策略、CORS、CSRF、XSS预防、SQL注入、OWASP指南或调试Spring/Keycloak环境中的认证故障时,应使用此技能。

SKILL.md
--- frontmatter
name: security-expert
description: "This skill should be used when the user asks to 'secure my API', 'implement authentication', 'configure Keycloak', 'add authorization', 'fix JWT issues', 'set up OAuth', 'review security', 'security audit', 'pen test prep', 'prevent SQL injection', 'fix XSS', 'CSRF protection', or works with JWT tokens, OAuth 2.0/OIDC flows, Spring Security, ABAC/RBAC policies, CORS, CSRF, XSS prevention, SQL injection, OWASP guidelines, or debugging auth failures in Spring/Keycloak environments."

Security Expert Skill

Expert guidance for API security, authentication, authorization, and identity management.

Core Competencies

  • Authentication: JWT, OAuth 2.0, OpenID Connect, SAML, session management
  • Authorization: RBAC, ABAC, ReBAC, policy engines
  • Identity Providers: Keycloak, Okta, Auth0, Azure AD
  • Frameworks: Spring Security, Spring Boot, Jakarta EE Security
  • Web Security: OWASP Top 10, CSP, CORS, CSRF, XSS prevention
  • Injection Prevention: SQL injection, parameterized queries, input validation
  • Frontend Security: React XSS protection, DOMPurify, URL sanitization, CSP for SPAs

Quick Reference

JWT Best Practices

  • Always validate: signature, expiration (exp), issuer (iss), audience (aud)
  • Use RS256/ES256 for distributed systems (asymmetric), HS256 only for single-service
  • Keep tokens short-lived (5-15 min access, hours-days refresh)
  • Never store sensitive data in JWT payload (it's base64, not encrypted)
  • Implement token revocation via blacklist or short expiry + refresh rotation

Spring Security + Keycloak Integration Pattern

java
// Minimal resource server config
@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()))
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/public/**").permitAll()
                .requestMatchers("/admin/**").hasRole("ADMIN")
                .anyRequest().authenticated());
        return http.build();
    }
}

ABAC vs RBAC Decision Matrix

Use RBAC whenUse ABAC when
Simple role hierarchyContext-dependent access (time, location)
Static permissionsResource-level attributes matter
Small number of rolesComplex business rules
Audit simplicity neededFine-grained, dynamic policies

Reference Files

For detailed guidance, consult these references:

Workflow: Security Review

  1. Identify attack surface: Public endpoints, auth flows, data exposure
  2. Check authentication: Token validation, session handling, credential storage
  3. Check authorization: Access control at endpoint and resource level
  4. Review data handling: Input validation, output encoding, sensitive data exposure
  5. Examine configuration: Security headers, CORS, error handling, logging
  6. Test edge cases: Token expiry, concurrent sessions, privilege escalation

Common Security Pitfalls

code
❌ Trusting JWT without signature validation
❌ Storing tokens in localStorage (XSS vulnerable)
❌ Using symmetric keys across services
❌ Missing audience validation
❌ Exposing stack traces in errors
❌ Permissive CORS (Access-Control-Allow-Origin: *)
❌ Missing rate limiting on auth endpoints
❌ Logging sensitive data (tokens, passwords)
❌ String concatenation in SQL queries (injection)
❌ Using innerHTML without sanitization
❌ Allowing javascript: URLs in user-controlled hrefs
❌ Disabling CSRF for cookie-authenticated APIs
❌ GET requests with side effects (CSRF vulnerable)

Debugging Security Issues

For auth failures, check in order:

  1. Token format and encoding (is it valid JWT structure?)
  2. Signature verification (correct algorithm and key?)
  3. Claims validation (exp, iss, aud correct?)
  4. Role/scope mapping (Keycloak mappers configured?)
  5. Spring Security filter chain (debug with logging.level.org.springframework.security=DEBUG)