springboot-security — ai-agents springboot-security, everything-claude-code, official, ai-agents, ide skills, anthropic, claude-code, developer-tools, Claude Code, Cursor, Windsurf

Verified
v1.0.0
GitHub

About this Skill

Essential for Java Spring Boot Agents implementing enterprise-grade authentication and authorization. Spring Security best practices for authn/authz, validation, CSRF, secrets, headers, rate limiting, and dependency security in Java Spring Boot services.

# Core Topics

ai-agents anthropic claude-code developer-tools
affaan-m affaan-m
[60.6k]
[7501]
Updated: 3/5/2026

Agent Capability Analysis

The springboot-security skill by affaan-m is an open-source official AI agent skill for Claude Code and other IDE workflows, helping agents execute tasks with better context, repeatability, and domain-specific guidance. Optimized for ai-agents, anthropic, claude-code.

Ideal Agent Persona

Essential for Java Spring Boot Agents implementing enterprise-grade authentication and authorization.

Core Value

Enables comprehensive Spring Security implementation including JWT/OAuth2 authentication, role-based authorization with @PreAuthorize, CSRF/CORS configuration, and dependency vulnerability scanning. Provides best practices for input validation, secrets management with Vault, and rate limiting protection.

Capabilities Granted for springboot-security

Implementing JWT authentication flows
Configuring role-based access control with @PreAuthorize
Setting up CSRF protection and CORS headers
Scanning dependencies for CVEs
Applying rate limiting to prevent brute-force attacks

! Prerequisites & Limits

  • Java Spring Boot specific implementation
  • Requires understanding of Spring Security architecture
  • Dependent on Spring ecosystem libraries
Labs Demo

Browser Sandbox Environment

⚡️ Ready to unleash?

Experience this Agent in a zero-setup browser environment powered by WebContainers. No installation required.

Boot Container Sandbox

springboot-security

Install springboot-security, an AI agent skill for AI agent workflows and automation. Works with Claude Code, Cursor, and Windsurf with one-command setup.

SKILL.md
Readonly

Spring Boot Security Review

Use when adding auth, handling input, creating endpoints, or dealing with secrets.

When to Activate

  • Adding authentication (JWT, OAuth2, session-based)
  • Implementing authorization (@PreAuthorize, role-based access)
  • Validating user input (Bean Validation, custom validators)
  • Configuring CORS, CSRF, or security headers
  • Managing secrets (Vault, environment variables)
  • Adding rate limiting or brute-force protection
  • Scanning dependencies for CVEs

Authentication

  • Prefer stateless JWT or opaque tokens with revocation list
  • Use httpOnly, Secure, SameSite=Strict cookies for sessions
  • Validate tokens with OncePerRequestFilter or resource server
java
1@Component
2public class JwtAuthFilter extends OncePerRequestFilter {
3  private final JwtService jwtService;
4
5  public JwtAuthFilter(JwtService jwtService) {
6    this.jwtService = jwtService;
7  }
8
9  @Override
10  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
11      FilterChain chain) throws ServletException, IOException {
12    String header = request.getHeader(HttpHeaders.AUTHORIZATION);
13    if (header != null && header.startsWith("Bearer ")) {
14      String token = header.substring(7);
15      Authentication auth = jwtService.authenticate(token);
16      SecurityContextHolder.getContext().setAuthentication(auth);
17    }
18    chain.doFilter(request, response);
19  }
20}

Authorization

  • Enable method security: @EnableMethodSecurity
  • Use @PreAuthorize("hasRole('ADMIN')") or @PreAuthorize("@authz.canEdit(#id)")
  • Deny by default; expose only required scopes
java
1@RestController
2@RequestMapping("/api/admin")
3public class AdminController {
4
5  @PreAuthorize("hasRole('ADMIN')")
6  @GetMapping("/users")
7  public List<UserDto> listUsers() {
8    return userService.findAll();
9  }
10
11  @PreAuthorize("@authz.isOwner(#id, authentication)")
12  @DeleteMapping("/users/{id}")
13  public ResponseEntity<Void> deleteUser(@PathVariable Long id) {
14    userService.delete(id);
15    return ResponseEntity.noContent().build();
16  }
17}

Input Validation

  • Use Bean Validation with @Valid on controllers
  • Apply constraints on DTOs: @NotBlank, @Email, @Size, custom validators
  • Sanitize any HTML with a whitelist before rendering
java
1// BAD: No validation
2@PostMapping("/users")
3public User createUser(@RequestBody UserDto dto) {
4  return userService.create(dto);
5}
6
7// GOOD: Validated DTO
8public record CreateUserDto(
9    @NotBlank @Size(max = 100) String name,
10    @NotBlank @Email String email,
11    @NotNull @Min(0) @Max(150) Integer age
12) {}
13
14@PostMapping("/users")
15public ResponseEntity<UserDto> createUser(@Valid @RequestBody CreateUserDto dto) {
16  return ResponseEntity.status(HttpStatus.CREATED)
17      .body(userService.create(dto));
18}

SQL Injection Prevention

  • Use Spring Data repositories or parameterized queries
  • For native queries, use :param bindings; never concatenate strings
java
1// BAD: String concatenation in native query
2@Query(value = "SELECT * FROM users WHERE name = '" + name + "'", nativeQuery = true)
3
4// GOOD: Parameterized native query
5@Query(value = "SELECT * FROM users WHERE name = :name", nativeQuery = true)
6List<User> findByName(@Param("name") String name);
7
8// GOOD: Spring Data derived query (auto-parameterized)
9List<User> findByEmailAndActiveTrue(String email);

Password Encoding

  • Always hash passwords with BCrypt or Argon2 — never store plaintext
  • Use PasswordEncoder bean, not manual hashing
java
1@Bean
2public PasswordEncoder passwordEncoder() {
3  return new BCryptPasswordEncoder(12); // cost factor 12
4}
5
6// In service
7public User register(CreateUserDto dto) {
8  String hashedPassword = passwordEncoder.encode(dto.password());
9  return userRepository.save(new User(dto.email(), hashedPassword));
10}

CSRF Protection

  • For browser session apps, keep CSRF enabled; include token in forms/headers
  • For pure APIs with Bearer tokens, disable CSRF and rely on stateless auth
java
1http
2  .csrf(csrf -> csrf.disable())
3  .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS));

Secrets Management

  • No secrets in source; load from env or vault
  • Keep application.yml free of credentials; use placeholders
  • Rotate tokens and DB credentials regularly
yaml
1# BAD: Hardcoded in application.yml
2spring:
3  datasource:
4    password: mySecretPassword123
5
6# GOOD: Environment variable placeholder
7spring:
8  datasource:
9    password: ${DB_PASSWORD}
10
11# GOOD: Spring Cloud Vault integration
12spring:
13  cloud:
14    vault:
15      uri: https://vault.example.com
16      token: ${VAULT_TOKEN}

Security Headers

java
1http
2  .headers(headers -> headers
3    .contentSecurityPolicy(csp -> csp
4      .policyDirectives("default-src 'self'"))
5    .frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin)
6    .xssProtection(Customizer.withDefaults())
7    .referrerPolicy(rp -> rp.policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.NO_REFERRER)));

CORS Configuration

  • Configure CORS at the security filter level, not per-controller
  • Restrict allowed origins — never use * in production
java
1@Bean
2public CorsConfigurationSource corsConfigurationSource() {
3  CorsConfiguration config = new CorsConfiguration();
4  config.setAllowedOrigins(List.of("https://app.example.com"));
5  config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE"));
6  config.setAllowedHeaders(List.of("Authorization", "Content-Type"));
7  config.setAllowCredentials(true);
8  config.setMaxAge(3600L);
9
10  UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
11  source.registerCorsConfiguration("/api/**", config);
12  return source;
13}
14
15// In SecurityFilterChain:
16http.cors(cors -> cors.configurationSource(corsConfigurationSource()));

Rate Limiting

  • Apply Bucket4j or gateway-level limits on expensive endpoints
  • Log and alert on bursts; return 429 with retry hints
java
1// Using Bucket4j for per-endpoint rate limiting
2@Component
3public class RateLimitFilter extends OncePerRequestFilter {
4  private final Map<String, Bucket> buckets = new ConcurrentHashMap<>();
5
6  private Bucket createBucket() {
7    return Bucket.builder()
8        .addLimit(Bandwidth.classic(100, Refill.intervally(100, Duration.ofMinutes(1))))
9        .build();
10  }
11
12  @Override
13  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
14      FilterChain chain) throws ServletException, IOException {
15    String clientIp = request.getRemoteAddr();
16    Bucket bucket = buckets.computeIfAbsent(clientIp, k -> createBucket());
17
18    if (bucket.tryConsume(1)) {
19      chain.doFilter(request, response);
20    } else {
21      response.setStatus(HttpStatus.TOO_MANY_REQUESTS.value());
22      response.getWriter().write("{\"error\": \"Rate limit exceeded\"}");
23    }
24  }
25}

Dependency Security

  • Run OWASP Dependency Check / Snyk in CI
  • Keep Spring Boot and Spring Security on supported versions
  • Fail builds on known CVEs

Logging and PII

  • Never log secrets, tokens, passwords, or full PAN data
  • Redact sensitive fields; use structured JSON logging

File Uploads

  • Validate size, content type, and extension
  • Store outside web root; scan if required

Checklist Before Release

  • Auth tokens validated and expired correctly
  • Authorization guards on every sensitive path
  • All inputs validated and sanitized
  • No string-concatenated SQL
  • CSRF posture correct for app type
  • Secrets externalized; none committed
  • Security headers configured
  • Rate limiting on APIs
  • Dependencies scanned and up to date
  • Logs free of sensitive data

Remember: Deny by default, validate inputs, least privilege, and secure-by-configuration first.

FAQ & Installation Steps

These questions and steps mirror the structured data on this page for better search understanding.

? Frequently Asked Questions

What is springboot-security?

Essential for Java Spring Boot Agents implementing enterprise-grade authentication and authorization. Spring Security best practices for authn/authz, validation, CSRF, secrets, headers, rate limiting, and dependency security in Java Spring Boot services.

How do I install springboot-security?

Run the command: npx killer-skills add affaan-m/everything-claude-code/springboot-security. It works with Cursor, Windsurf, VS Code, Claude Code, and 19+ other IDEs.

What are the use cases for springboot-security?

Key use cases include: Implementing JWT authentication flows, Configuring role-based access control with @PreAuthorize, Setting up CSRF protection and CORS headers, Scanning dependencies for CVEs, Applying rate limiting to prevent brute-force attacks.

Which IDEs are compatible with springboot-security?

This skill is compatible with Cursor, Windsurf, VS Code, Trae, Claude Code, OpenClaw, Aider, Codex, OpenCode, Goose, Cline, Roo Code, Kiro, Augment Code, Continue, GitHub Copilot, Sourcegraph Cody, and Amazon Q Developer. Use the Killer-Skills CLI for universal one-command installation.

Are there any limitations for springboot-security?

Java Spring Boot specific implementation. Requires understanding of Spring Security architecture. Dependent on Spring ecosystem libraries.

How To Install

  1. 1. Open your terminal

    Open the terminal or command line in your project directory.

  2. 2. Run the install command

    Run: npx killer-skills add affaan-m/everything-claude-code/springboot-security. The CLI will automatically detect your IDE or AI agent and configure the skill.

  3. 3. Start using the skill

    The skill is now active. Your AI agent can use springboot-security immediately in the current project.

Related Skills

Looking for an alternative to springboot-security or another official skill for your workflow? Explore these related open-source skills.

View All

flags

Logo of facebook
facebook

Use when you need to check feature flag states, compare channels, or debug why a feature behaves differently across release channels.

243.6k
0
Developer

extract-errors

Logo of facebook
facebook

Use when adding new error messages to React, or seeing unknown error code warnings.

243.6k
0
Developer

fix

Logo of facebook
facebook

Use when you have lint errors, formatting issues, or before committing code to ensure it passes CI.

243.6k
0
Developer

flow

Logo of facebook
facebook

Use when you need to run Flow type checking, or when seeing Flow type errors in React code.

243.6k
0
Developer

Related Collections

View All Collections →
12 AI Agent Tools & Integrations for Developer Workflows | AI Agent Skills[12]Top Claude Code Skills & Agent Workflows | AI Agent Skills[6]Community Skills & AI Utilities | AI Agent Skills[12]Developer Tooling for AI Agent Work | AI Agent Skills[12]Community Skills & Frameworks for AI Agent Builders | AI Agent Skills[11]AI Agent Workflow Skills, Integrations, and Utilities | AI Agent Skills[12]12 Official AI Skills & Trusted Tools | AI Agent Skills[12]Productivity Tools for AI-Enabled Developers | AI Agent Skills[5]Top Windsurf Skills & AI Agent Workflows | AI Agent Skills[5]