spring-boot-security

Spring Security 7 for Spring Boot 4

Implements authentication and authorization with Spring Security 7's mandatory Lambda DSL.

Critical Breaking Changes

Removed API	Replacement	Status
and() method	Lambda DSL closures	Required
authorizeRequests()	authorizeHttpRequests()	Required
antMatchers()	requestMatchers()	Required
WebSecurityConfigurerAdapter	SecurityFilterChain bean	Required
@EnableGlobalMethodSecurity	@EnableMethodSecurity	Required

Core Workflow

1. Create SecurityFilterChain → 2. Define authorization → 3. Configure authentication → 4. Add method security → 5. Handle CORS/CSRF

See WORKFLOW.md for detailed step-by-step instructions with code examples.

Quick Patterns

See EXAMPLES.md for complete working examples including:

• REST API Security with JWT/OAuth2 (Java + Kotlin)
• Form Login with Session Security and CSRF
• Method Security with @PreAuthorize and SpEL
• CORS Configuration for cross-origin APIs
• Password Encoder (Argon2 for Security 7)

Spring Boot 4 Specifics

• Lambda DSL is mandatory (no and() chaining)
• Argon2 password encoder: Argon2PasswordEncoder.defaultsForSpring7()
• CSRF for SPAs: CookieCsrfTokenRepository.withHttpOnlyFalse()
• @EnableMethodSecurity replaces @EnableGlobalMethodSecurity

Detailed References

• Workflow: See WORKFLOW.md for detailed step-by-step security configuration
• Examples: See EXAMPLES.md for complete working code examples
• Troubleshooting: See TROUBLESHOOTING.md for common issues and Boot 4 migration
• Security Configuration: See references/SECURITY-CONFIG.md for complete SecurityFilterChain patterns
• Authentication: See references/AUTHENTICATION.md for UserDetailsService, password encoding
• JWT/OAuth2: See references/JWT-OAUTH2.md for resource server, token validation

Related Skills

Need	Skill
Testing secured endpoints	spring-boot-testing
Actuator endpoint security	spring-boot-observability
Dependency verification	spring-boot-verify

Anti-Pattern Checklist

Anti-Pattern	Fix
Using and() chaining	Use Lambda DSL closures
antMatchers()	Replace with requestMatchers()
authorizeRequests()	Replace with authorizeHttpRequests()
CSRF disabled without JWT	Keep CSRF for session-based auth
Hardcoded credentials	Use environment variables or Secret Manager
permitAll() on sensitive endpoints	Audit all permit rules
Missing authenticated() default	End with .anyRequest().authenticated()

Critical Reminders

1. Lambda DSL is mandatory — No more and() chaining in Security 7
2. Order matters — More specific requestMatchers before general ones
3. CSRF for sessions — Only disable for stateless JWT APIs
4. Method security needs enabling — Add @EnableMethodSecurity
5. Test security configuration — Use @WithMockUser and JWT test support (see spring-boot-testing)