Skip to main content
Backend Developmentjoaquimscosta

spring-boot-security

Spring Security 7 implementation for Spring Boot 4. Use when configuring authentication, authorization, OAuth2/JWT resource servers, method security, or CORS/CSRF. Covers the mandatory Lambda DSL migration, SecurityFilterChain patterns, @PreAuthorize, and password encoding. For testing secured endpoints, see spring-boot-testing skill.

Stars
14
Source
joaquimscosta/arkhe-claude-plugins
Updated
2026-05-26
Slug
joaquimscosta--arkhe-claude-plugins--spring-boot-security
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/joaquimscosta/arkhe-claude-plugins/HEAD/plugins/spring-boot/skills/spring-boot-security/SKILL.md -o .claude/skills/spring-boot-security.md

Drops the SKILL.md into .claude/skills/spring-boot-security.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Spring Security 7 for Spring Boot 4

Implements authentication and authorization with Spring Security 7's mandatory Lambda DSL.

Critical Breaking Changes

Removed API Replacement Status
and() method Lambda DSL closures Required
authorizeRequests() authorizeHttpRequests() Required
antMatchers() requestMatchers() Required
WebSecurityConfigurerAdapter SecurityFilterChain bean Required
@EnableGlobalMethodSecurity @EnableMethodSecurity Required

Core Workflow

  1. Create SecurityFilterChain → 2. Define authorization → 3. Configure authentication → 4. Add method security → 5. Handle CORS/CSRF

See WORKFLOW.md for detailed step-by-step instructions with code examples.

Quick Patterns

See EXAMPLES.md for complete working examples including:

  • REST API Security with JWT/OAuth2 (Java + Kotlin)
  • Form Login with Session Security and CSRF
  • Method Security with @PreAuthorize and SpEL
  • CORS Configuration for cross-origin APIs
  • Password Encoder (Argon2 for Security 7)

Spring Boot 4 Specifics

  • Lambda DSL is mandatory (no and() chaining)
  • Argon2 password encoder: Argon2PasswordEncoder.defaultsForSpring7()
  • CSRF for SPAs: CookieCsrfTokenRepository.withHttpOnlyFalse()
  • @EnableMethodSecurity replaces @EnableGlobalMethodSecurity

Detailed References

Related Skills

Need Skill
Testing secured endpoints spring-boot-testing
Actuator endpoint security spring-boot-observability
Dependency verification spring-boot-verify

Anti-Pattern Checklist

Anti-Pattern Fix
Using and() chaining Use Lambda DSL closures
antMatchers() Replace with requestMatchers()
authorizeRequests() Replace with authorizeHttpRequests()
CSRF disabled without JWT Keep CSRF for session-based auth
Hardcoded credentials Use environment variables or Secret Manager
permitAll() on sensitive endpoints Audit all permit rules
Missing authenticated() default End with .anyRequest().authenticated()

Critical Reminders

  1. Lambda DSL is mandatory — No more and() chaining in Security 7
  2. Order matters — More specific requestMatchers before general ones
  3. CSRF for sessions — Only disable for stateless JWT APIs
  4. Method security needs enabling — Add @EnableMethodSecurity
  5. Test security configuration — Use @WithMockUser and JWT test support (see spring-boot-testing)