Springboot Security

Streamline Spring Boot Security configuration, automation, and seamless integration

Category: productivity Source: affaan-m/everything-claude-code

Spring Boot Security is an AI skill that provides patterns for implementing authentication, authorization, and security configurations in Spring Boot applications. It covers JWT authentication, role-based access control, security filter chains, CORS configuration, OAuth2 integration, and method-level security that enable developers to build secure Spring Boot APIs.

What Is This?

Overview

Spring Boot Security provides structured approaches to securing Java web applications. It handles configuring security filter chains with endpoint-level access rules, implementing JWT-based stateless authentication for API services, defining role-based and permission-based authorization policies, setting up CORS policies for cross-origin API access, integrating OAuth2 and OpenID Connect for external identity providers, and applying method-level security annotations for fine-grained access control.

Who Should Use This

This skill serves Java developers implementing authentication in Spring Boot APIs, security engineers configuring access control for microservices, backend teams integrating with OAuth2 identity providers, and architects designing security for distributed Spring applications.

Why Use It?

Problems It Solves

Insecure default configurations expose endpoints without authentication. Custom authentication implementations introduce vulnerabilities when not following established patterns. Inconsistent authorization checks across endpoints create security gaps. CORS misconfiguration blocks legitimate frontend requests or allows unauthorized origins.

Core Highlights

Filter chain configuration defines endpoint access rules declaratively in one location. JWT integration enables stateless authentication suitable for microservice architectures. Role-based access control restricts endpoints based on user authorities. CORS configuration controls cross-origin access with specific origin and method rules.

How to Use It?

Basic Usage

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(
            HttpSecurity http) throws Exception {
        http
            .csrf(csrf -> csrf.disable())
            .sessionManagement(session -> session
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/api/auth/**").permitAll()
                .requestMatchers("/api/admin/**").hasRole("ADMIN")
                .requestMatchers("/api/**").authenticated()
                .anyRequest().permitAll())
            .addFilterBefore(
                jwtFilter(), UsernamePasswordAuthenticationFilter.class);
        return http.build();
    }

    @Bean
    public CorsConfigurationSource corsSource() {
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowedOrigins(List.of("https://app.example.com"));
        config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE"));
        config.setAllowedHeaders(List.of("Authorization", "Content-Type"));
        UrlBasedCorsConfigurationSource source =
            new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/api/**", config);
        return source;
    }
}

Real-World Examples

@Component
public class JwtAuthFilter extends OncePerRequestFilter {
    private final JwtService jwtService;
    private final UserDetailsService userDetails;

    public JwtAuthFilter(JwtService jwtService,
                         UserDetailsService userDetails) {
        this.jwtService = jwtService;
        this.userDetails = userDetails;
    }

    @Override
    protected void doFilterInternal(
            HttpServletRequest request,
            HttpServletResponse response,
            FilterChain chain) throws ServletException, IOException {
        String header = request.getHeader("Authorization");
        if (header == null || !header.startsWith("Bearer ")) {
            chain.doFilter(request, response);
            return;
        }
        String token = header.substring(7);
        String username = jwtService.extractUsername(token);
        if (username != null && SecurityContextHolder
                .getContext().getAuthentication() == null) {
            UserDetails user = userDetails
                .loadUserByUsername(username);
            if (jwtService.isValid(token, user)) {
                var auth = new UsernamePasswordAuthenticationToken(
                    user, null, user.getAuthorities());
                SecurityContextHolder.getContext()
                    .setAuthentication(auth);
            }
        }
        chain.doFilter(request, response);
    }
}

@Service
public class JwtService {
    private final String secret;

    public JwtService(@Value("${jwt.secret}") String secret) {
        this.secret = secret;
    }

    public String generateToken(UserDetails user) {
        return Jwts.builder()
            .subject(user.getUsername())
            .issuedAt(new Date())
            .expiration(new Date(
                System.currentTimeMillis() + 86400000))
            .signWith(getSigningKey())
            .compact();
    }

    public String extractUsername(String token) {
        return getClaims(token).getSubject();
    }

    public boolean isValid(String token, UserDetails user) {
        String username = extractUsername(token);
        return username.equals(user.getUsername())
            && !isExpired(token);
    }
}

Advanced Tips

Use method-level @PreAuthorize annotations for fine-grained access control beyond URL patterns. Store JWT secrets in environment variables or a secrets manager rather than application properties. Implement token refresh endpoints to avoid forcing users to re-authenticate frequently.

When to Use It?

Use Cases

Use Spring Boot Security when implementing JWT authentication for stateless API services, when configuring role-based access control for multi-tenant applications, when integrating OAuth2 providers for SSO, or when securing microservice-to-microservice communication.

Related Topics

Spring Security filter chain architecture, OAuth2 Resource Server configuration, JWT token management, CORS policy design, and API gateway security complement Spring Boot Security.

Important Notes

Requirements

Spring Boot 3.x with spring-boot-starter-security dependency. JWT library such as jjwt for token operations. Understanding of HTTP security headers and authentication flows.

Usage Recommendations

Do: disable CSRF for stateless API services that use token-based authentication. Define security rules in a centralized SecurityConfig class for maintainability. Validate JWT signatures and expiration on every request through the security filter.

Don't: store JWT secrets in source code or application.properties committed to version control. Disable security entirely during development, which hides integration issues. Rely solely on URL-based rules without method-level checks for sensitive operations.

Limitations

Spring Security configuration DSL has a steep learning curve for developers new to the framework. JWT tokens cannot be revoked without additional infrastructure like a token blacklist. Complex authorization policies may require custom permission evaluators beyond role checks.