Spring Security 7 implementation for Spring Boot 4. Use when configuring authentication, authorization, OAuth2/JWT resource servers, method security, or CORS/CSRF. Covers the mandatory Lambda DSL migration, SecurityFilterChain patterns, @PreAuthorize, and password encoding. For testing secured endpoints, see spring-boot-testing skill.
View on GitHubplugins/spring-boot/skills/spring-boot-security/SKILL.md
January 23, 2026
Select agents to install to:
npx add-skill https://github.com/joaquimscosta/arkhe-claude-plugins/blob/main/plugins/spring-boot/skills/spring-boot-security/SKILL.md -a claude-code --skill spring-boot-securityInstallation paths:
.claude/skills/spring-boot-security/# Spring Security 7 for Spring Boot 4 Implements authentication and authorization with Spring Security 7's mandatory Lambda DSL. ## Critical Breaking Changes | Removed API | Replacement | Status | |-------------|-------------|--------| | `and()` method | Lambda DSL closures | **Required** | | `authorizeRequests()` | `authorizeHttpRequests()` | **Required** | | `antMatchers()` | `requestMatchers()` | **Required** | | `WebSecurityConfigurerAdapter` | `SecurityFilterChain` bean | **Required** | | `@EnableGlobalMethodSecurity` | `@EnableMethodSecurity` | **Required** | ## Core Workflow 1. **Create SecurityFilterChain bean** → Configure with Lambda DSL 2. **Define authorization rules** → `authorizeHttpRequests()` with `requestMatchers()` 3. **Configure authentication** → Form login, HTTP Basic, or OAuth2 4. **Add method security** → `@EnableMethodSecurity` + `@PreAuthorize` 5. **Handle CORS/CSRF** → Configure for REST APIs ## Quick Patterns See [EXAMPLES.md](EXAMPLES.md) for complete working examples including: - **REST API Security** with JWT/OAuth2 (Java + Kotlin) - **Form Login with Session Security** and CSRF - **Method Security** with @PreAuthorize and SpEL - **CORS Configuration** for cross-origin APIs - **Password Encoder** (Argon2 for Security 7) ## Spring Boot 4 Specifics - **Lambda DSL** is mandatory (no `and()` chaining) - **Argon2** password encoder: `Argon2PasswordEncoder.defaultsForSpring7()` - **CSRF for SPAs**: `CookieCsrfTokenRepository.withHttpOnlyFalse()` - **@EnableMethodSecurity** replaces `@EnableGlobalMethodSecurity` ## Detailed References - **Examples**: See [EXAMPLES.md](EXAMPLES.md) for complete working code examples - **Troubleshooting**: See [TROUBLESHOOTING.md](TROUBLESHOOTING.md) for common issues and Boot 4 migration - **Security Configuration**: See [references/SECURITY-CONFIG.md](references/SECURITY-CONFIG.md) for complete SecurityFilterChain patterns - **Authentication**: See [references/AUTHENTICATION.md](references/AUTHENTIC