OpenSkillIndex← back to search
claude-code

Skillshub spring-boot-security

Spring Security 6+ standards, Lambda DSL, and Hardening. Use when configuring Spring Security 6+, OAuth2, JWT, or security hardening in Spring Boot. (triggers: **/*SecurityConfig.java, **/*Filter.java, security-filter-chain, lambda-dsl, csrf, cors)

install
source · Clone the upstream repo
git clone https://github.com/ComeOnOliver/skillshub
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/HoangNguyen0403/agent-skills-standard/spring-boot-security" ~/.claude/skills/comeonoliver-skillshub-spring-boot-security && rm -rf "$T"
manifest: skills/HoangNguyen0403/agent-skills-standard/spring-boot-security/SKILL.md
source content

Spring Boot Security Standards

Priority: P0 (CRITICAL)

Implementation Guidelines

Configuration (Spring Security 6+)

  • Lambda DSL: ALWAYS use Lambda DSL.
  • SecurityFilterChain: Expose as 
    @Bean
    . Do not extend 
    WebSecurityConfigurerAdapter
    .
  • Statelessness: Enforce 
    SessionCreationPolicy.STATELESS
    for REST APIs.

Golden Snippet

See Security Configuration for full 

SecurityFilterChain
example.

Authentication vs Authorization

  • Authentication: Validation of credentials (Who are you?). Use 
    AuthenticationManager
    or 
    JwtDecoder
    .
  • Authorization: Verification of access rights (Can you do this?). Use 
    @PreAuthorize
    .

JWT Best Practices

  • Algorithm: Enforce 
    RS256
    or 
    HS256
    . Reject 
    none
    algorithm    .
  • Claims: Validate 
    iss
    , 
    aud
    , and 
    exp
    .
  • Tokens: Short-lived access tokens (15m), secure refresh tokens (httpOnly cookie).

Hardening Checklist

  • CSRF: Disabled for pure APIs? Enabled + Cookie for Browser Apps?
  • CORS: Specific origins permitted? No 
    *
    with credentials?
  • Headers: HSTS, Content-Type-Options, X-Frame-Options enabled?
  • Secrets: No hardcoded keys? Loaded from Vault/Env?
  • Rate Limiting: Applied on login/expensive endpoints?
  • Dependencies: Scanned for CVEs?

Anti-Patterns

  • No Adapter: Use 
    SecurityFilterChain
    bean instead of extending legacy classes.
  • No .and(): Use Lambda DSL for configuration.
  • No Secrets: Load from Vault or Environment variables (never git).
  • No antMatchers: Use 
    requestMatchers
    (Spring Security 6+).

References