home / skills / partme-ai / full-stack-skills / spring-security

spring-security skill

safe

This skill helps you implement Spring Security for authentication, authorization, OAuth2, and JWT with best practices across Spring applications.

npx playbooks add skill partme-ai/full-stack-skills --skill spring-security

Review the files below or copy the command above to add this skill to your agents.

Files (2)

SKILL.md

708 B

---
name: spring-security
description: Provides comprehensive guidance for Spring Security including authentication, authorization, OAuth2, JWT, and security best practices. Use when the user asks about Spring Security, needs to implement security in Spring applications, configure authentication, or work with security features.
license: Complete terms in LICENSE.txt
---

## When to use this skill

Use this skill whenever the user wants to:
- [待完善：根据具体工具添加使用场景]

## How to use this skill

[待完善：根据具体工具添加使用指南]

## Best Practices

[待完善：根据具体工具添加最佳实践]

## Keywords

[待完善：根据具体工具添加关键词]

Overview

This skill provides comprehensive, practical guidance for securing Spring applications using Spring Security. It covers authentication, authorization, OAuth2, JWT, method and URL security, and common best practices. Use it to design, configure, and troubleshoot security for Spring Boot and Spring MVC projects.

How this skill works

The skill inspects your security requirements and maps them to Spring Security components, recommending configuration snippets, filter chains, and bean definitions. It explains how to implement authentication providers, configure OAuth2 and JWT flows, and apply method-level and URL-based access controls. It also helps debug common issues like CSRF, CORS, and token validation failures.

When to use it

Implementing authentication and authorization in Spring Boot or Spring MVC applications
Configuring OAuth2 clients, resource servers, or authorization servers
Securing REST APIs with JWTs and token validation
Applying role-based or permission-based access control at method or endpoint levels
Hardening application security and addressing common vulnerabilities (CSRF, CORS, session fixation)

Best practices

Centralize security configuration with a SecurityConfig class and clear filter order
Prefer stateless JWT-based resource servers for APIs and keep token verification fast
Use OAuth2/OpenID Connect for delegated authentication; never roll your own auth protocol
Apply least privilege: protect endpoints by roles/authorities and use method-level checks where needed
Enable CSRF protection for browser clients and configure CORS only for trusted origins
Log auth events and monitor token lifecycles; rotate keys and secrets regularly

Example use cases

Secure a Spring Boot REST API as a JWT resource server with token introspection or public-key verification
Configure an OAuth2 client to integrate login with Google or Okta and map claims to authorities
Migrate a legacy session-based app to stateless tokens while preserving role checks
Add method-level @PreAuthorize annotations to sensitive service methods and test with mock identities
Troubleshoot access denied errors by inspecting filter chain, antMatchers, and GrantedAuthority mappings

FAQ

Should I use sessions or JWTs for API security?

Use stateless JWTs for public APIs and microservices for scalability; prefer session-based auth for traditional web apps where server-side session features are needed.

How do I validate JWTs efficiently?

Validate signature and claims locally using the provider's public key or JWKS; cache keys and avoid repeated network calls for performance.