spring-boot-security
Spring Security 7 for Spring Boot 4
Implements authentication and authorization with Spring Security 7's mandatory Lambda DSL.
Critical Breaking Changes
| Removed API | Replacement | Status |
|---|---|---|
and() method |
Lambda DSL closures | Required |
authorizeRequests() |
authorizeHttpRequests() |
Required |
antMatchers() |
requestMatchers() |
Required |
WebSecurityConfigurerAdapter |
SecurityFilterChain bean |
Required |
@EnableGlobalMethodSecurity |
@EnableMethodSecurity |
Required |
Core Workflow
- Create SecurityFilterChain → 2. Define authorization → 3. Configure authentication → 4. Add method security → 5. Handle CORS/CSRF
See WORKFLOW.md for detailed step-by-step instructions with code examples.
Quick Patterns
See EXAMPLES.md for complete working examples including:
- REST API Security with JWT/OAuth2 (Java + Kotlin)
- Form Login with Session Security and CSRF
- Method Security with @PreAuthorize and SpEL
- CORS Configuration for cross-origin APIs
- Password Encoder (Argon2 for Security 7)
Spring Boot 4 Specifics
- Lambda DSL is mandatory (no
and()chaining) - Argon2 password encoder:
Argon2PasswordEncoder.defaultsForSpring7() - CSRF for SPAs:
CookieCsrfTokenRepository.withHttpOnlyFalse() - @EnableMethodSecurity replaces
@EnableGlobalMethodSecurity
Detailed References
- Workflow: See WORKFLOW.md for detailed step-by-step security configuration
- Examples: See EXAMPLES.md for complete working code examples
- Troubleshooting: See TROUBLESHOOTING.md for common issues and Boot 4 migration
- Security Configuration: See references/SECURITY-CONFIG.md for complete SecurityFilterChain patterns
- Authentication: See references/AUTHENTICATION.md for UserDetailsService, password encoding
- JWT/OAuth2: See references/JWT-OAUTH2.md for resource server, token validation
Related Skills
| Need | Skill |
|---|---|
| Testing secured endpoints | spring-boot-testing |
| Actuator endpoint security | spring-boot-observability |
| Dependency verification | spring-boot-verify |
Anti-Pattern Checklist
| Anti-Pattern | Fix |
|---|---|
Using and() chaining |
Use Lambda DSL closures |
antMatchers() |
Replace with requestMatchers() |
authorizeRequests() |
Replace with authorizeHttpRequests() |
| CSRF disabled without JWT | Keep CSRF for session-based auth |
| Hardcoded credentials | Use environment variables or Secret Manager |
permitAll() on sensitive endpoints |
Audit all permit rules |
Missing authenticated() default |
End with .anyRequest().authenticated() |
Critical Reminders
- Lambda DSL is mandatory — No more
and()chaining in Security 7 - Order matters — More specific
requestMatchersbefore general ones - CSRF for sessions — Only disable for stateless JWT APIs
- Method security needs enabling — Add
@EnableMethodSecurity - Test security configuration — Use
@WithMockUserand JWT test support (seespring-boot-testing)
More from joaquimscosta/arkhe-claude-plugins
skill-validator
Validate skills against Anthropic best practices for frontmatter, structure, content, file organization, hooks, MCP, and security (62 rules in 8 categories). Use when creating new skills, updating existing skills, before publishing skills, reviewing skill quality, or when user mentions "validate skill", "check skill", "skill best practices", "skill review", or "lint skill".
30domain-driven-design
Expert guidance for Domain-Driven Design architecture and implementation. Use when designing complex business systems, defining bounded contexts, structuring domain models, choosing between modular monolith vs microservices, implementing aggregates/entities/value objects, or when users mention "DDD", "domain-driven design", "bounded context", "aggregate", "domain model", "ubiquitous language", "event storming", "context mapping", "domain events", "anemic domain model", strategic design, tactical patterns, or domain modeling. Helps make architectural decisions, identify subdomains, design aggregates, and avoid common DDD pitfalls.
26code-explanation
Explains complex code through clear narratives, visual diagrams, and step-by-step breakdowns. Use when user asks to explain code, understand algorithms, analyze design patterns, wants code walkthroughs, or mentions "explain this code", "how does this work", "code breakdown", or "understand this function".
22generating-changelog
Analyzes git commit history and generates professional changelogs with semantic versioning, conventional commit support, and multiple output formats (Keep a Changelog, Conventional, GitHub). Use when editing CHANGELOG.md, CHANGELOG.txt, or HISTORY.md files, preparing release notes, creating releases, bumping versions, updating changelog, documenting changes, writing release notes, tracking changes, version bump, tag release, or when user mentions "changelog", "release notes", "version history", "release", "semantic versioning", or "conventional commits".
21workflow-orchestration
>
19generating-stitch-screens
>
19