AgentSkillsCN

spring-security

Spring Security 6 在身份认证、权限控制及 OAuth2 方面的最佳实践

SKILL.md
--- frontmatter
name: spring-security
description: Spring Security 6 patterns for authentication, authorization, and OAuth2
keywords:
  - spring-security
  - security
  - authentication
  - authorization
  - oauth2
  - jwt
  - filter
  - csrf
  - method security
filePatterns:
  - "*.java"
  - "application.yml"
  - "application.properties"
frameworks:
  - spring-security
  - spring-boot
tokenCount: 3000
version: 1.0.0

Spring Security Patterns

Spring Security 6 patterns for securing APIs. Favor explicit security rules and least privilege.

Selective Reading Rule

Read only files relevant to the request. Use the content map to focus.

Content Map

FileDescriptionWhen to Read
http-security.mdSecurityFilterChain, HttpSecurityBasic config
jwt.mdJWT auth, filtersToken-based APIs
oauth2.mdOAuth2 login/resource serverOAuth flows
method-security.md@PreAuthorize, @SecuredMethod-level rules

Core Patterns

1. SecurityFilterChain

java
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    return http
        .csrf(csrf -> csrf.disable())
        .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
        .authorizeHttpRequests(auth -> auth
            .requestMatchers("/actuator/**").permitAll()
            .requestMatchers(HttpMethod.POST, "/api/v1/auth/**").permitAll()
            .anyRequest().authenticated()
        )
        .build();
}

2. JWT Authentication Filter

java
public class JwtAuthFilter extends OncePerRequestFilter {

    private final JwtService jwtService;

    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain filterChain) throws IOException, ServletException {
        String token = resolveToken(request);
        if (token != null && jwtService.isValid(token)) {
            Authentication auth = jwtService.getAuthentication(token);
            SecurityContextHolder.getContext().setAuthentication(auth);
        }
        filterChain.doFilter(request, response);
    }
}

3. Method Security

java
@PreAuthorize("hasRole('ADMIN')")
public void deleteUser(String id) {
    userRepository.deleteById(id);
}

Decision Checklist

  • Stateless API? -> JWT + stateless session
  • Admin-only endpoints? -> @PreAuthorize
  • Public endpoints whitelisted?
  • Secrets stored outside code?

Anti-Patterns

Anti-PatternWhy BadBetter Approach
PermitAll on broad pathsSecurity holesExplicit allow list
Storing secrets in codeLeaksEnv variables or vault
Mixing auth and business logicHard to maintainDedicated filters/services

Related Skills

NeedSkill
Core Spring patterns@[skills/spring-boot-patterns]
Testing@[skills/spring-testing]