Arkhe-claude-plugins spring-boot-security

Spring Security 7 implementation for Spring Boot 4. Use when configuring authentication, authorization, OAuth2/JWT resource servers, method security, or CORS/CSRF. Covers the mandatory Lambda DSL migration, SecurityFilterChain patterns, @PreAuthorize, and password encoding. For testing secured endpoints, see spring-boot-testing skill.

install

source · Clone the upstream repo

git clone https://github.com/joaquimscosta/arkhe-claude-plugins

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/joaquimscosta/arkhe-claude-plugins "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/spring-boot/skills/spring-boot-security" ~/.claude/skills/joaquimscosta-arkhe-claude-plugins-spring-boot-security && rm -rf "$T"

manifest: plugins/spring-boot/skills/spring-boot-security/SKILL.md

source content

Spring Security 7 for Spring Boot 4

Implements authentication and authorization with Spring Security 7's mandatory Lambda DSL.

Critical Breaking Changes

Removed API	Replacement	Status
`and()` method	Lambda DSL closures	Required
`authorizeRequests()`	`authorizeHttpRequests()`	Required
`antMatchers()`	`requestMatchers()`	Required
`WebSecurityConfigurerAdapter`	`SecurityFilterChain` bean	Required
`@EnableGlobalMethodSecurity`	`@EnableMethodSecurity`	Required

Core Workflow

Create SecurityFilterChain → 2. Define authorization → 3. Configure authentication → 4. Add method security → 5. Handle CORS/CSRF

See WORKFLOW.md for detailed step-by-step instructions with code examples.

Quick Patterns

See EXAMPLES.md for complete working examples including:

REST API Security with JWT/OAuth2 (Java + Kotlin)
Form Login with Session Security and CSRF
Method Security with @PreAuthorize and SpEL
CORS Configuration for cross-origin APIs
Password Encoder (Argon2 for Security 7)

Spring Boot 4 Specifics

Lambda DSL is mandatory (no
```
and()
```
chaining)

Argon2 password encoder:

Argon2PasswordEncoder.defaultsForSpring7()

CSRF for SPAs:

CookieCsrfTokenRepository.withHttpOnlyFalse()

@EnableMethodSecurity replaces
```
@EnableGlobalMethodSecurity
```

Detailed References

Workflow: See WORKFLOW.md for detailed step-by-step security configuration
Examples: See EXAMPLES.md for complete working code examples
Troubleshooting: See TROUBLESHOOTING.md for common issues and Boot 4 migration
Security Configuration: See references/SECURITY-CONFIG.md for complete SecurityFilterChain patterns
Authentication: See references/AUTHENTICATION.md for UserDetailsService, password encoding
JWT/OAuth2: See references/JWT-OAUTH2.md for resource server, token validation

Related Skills

Need	Skill
Testing secured endpoints	`spring-boot-testing`
Actuator endpoint security	`spring-boot-observability`
Dependency verification	`spring-boot-verify`

Anti-Pattern Checklist

Anti-Pattern	Fix
Using `and()` chaining	Use Lambda DSL closures
`antMatchers()`	Replace with `requestMatchers()`
`authorizeRequests()`	Replace with `authorizeHttpRequests()`
CSRF disabled without JWT	Keep CSRF for session-based auth
Hardcoded credentials	Use environment variables or Secret Manager
`permitAll()` on sensitive endpoints	Audit all permit rules
Missing `authenticated()` default	End with `.anyRequest().authenticated()`

Critical Reminders

Lambda DSL is mandatory — No more
```
and()
```
chaining in Security 7
Order matters — More specific
```
requestMatchers
```
before general ones
CSRF for sessions — Only disable for stateless JWT APIs
Method security needs enabling — Add
```
@EnableMethodSecurity
```
Test security configuration — Use
```
@WithMockUser
```
and JWT test support (see
```
spring-boot-testing
```
)