springboot-security

仓库: affaan-m/everything-claude-code
安装量: 1.4K
排名: #1027

安装

npx skills add https://github.com/affaan-m/everything-claude-code --skill springboot-security

Use when adding auth, handling input, creating endpoints, or dealing with secrets.

Authentication

  • Prefer stateless JWT or opaque tokens with revocation list

  • Use httpOnly, Secure, SameSite=Strict cookies for sessions

  • Validate tokens with OncePerRequestFilter or resource server

@Component
public class JwtAuthFilter extends OncePerRequestFilter {
  private final JwtService jwtService;

  public JwtAuthFilter(JwtService jwtService) {
    this.jwtService = jwtService;
  }

  @Override
  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
      FilterChain chain) throws ServletException, IOException {
    String header = request.getHeader(HttpHeaders.AUTHORIZATION);
    if (header != null && header.startsWith("Bearer ")) {
      String token = header.substring(7);
      Authentication auth = jwtService.authenticate(token);
      SecurityContextHolder.getContext().setAuthentication(auth);
    }
    chain.doFilter(request, response);
  }
}

Authorization

  • Enable method security: @EnableMethodSecurity

  • Use @PreAuthorize("hasRole('ADMIN')") or @PreAuthorize("@authz.canEdit(#id)")

  • Deny by default; expose only required scopes

Input Validation

  • Use Bean Validation with @Valid on controllers

  • Apply constraints on DTOs: @NotBlank, @Email, @Size, custom validators

  • Sanitize any HTML with a whitelist before rendering

SQL Injection Prevention

  • Use Spring Data repositories or parameterized queries

  • For native queries, use :param bindings; never concatenate strings

CSRF Protection

  • For browser session apps, keep CSRF enabled; include token in forms/headers

  • For pure APIs with Bearer tokens, disable CSRF and rely on stateless auth

http
  .csrf(csrf -> csrf.disable())
  .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS));

Secrets Management

  • No secrets in source; load from env or vault

  • Keep application.yml free of credentials; use placeholders

  • Rotate tokens and DB credentials regularly

Security Headers

http
  .headers(headers -> headers
    .contentSecurityPolicy(csp -> csp
      .policyDirectives("default-src 'self'"))
    .frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin)
    .xssProtection(Customizer.withDefaults())
    .referrerPolicy(rp -> rp.policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.NO_REFERRER)));

Rate Limiting

  • Apply Bucket4j or gateway-level limits on expensive endpoints

  • Log and alert on bursts; return 429 with retry hints

Dependency Security

  • Run OWASP Dependency Check / Snyk in CI

  • Keep Spring Boot and Spring Security on supported versions

  • Fail builds on known CVEs

Logging and PII

  • Never log secrets, tokens, passwords, or full PAN data

  • Redact sensitive fields; use structured JSON logging

File Uploads

  • Validate size, content type, and extension

  • Store outside web root; scan if required

Checklist Before Release

Auth tokens validated and expired correctly Authorization guards on every sensitive path All inputs validated and sanitized No string-concatenated SQL CSRF posture correct for app type Secrets externalized; none committed Security headers configured Rate limiting on APIs Dependencies scanned and up to date Logs free of sensitive data

Remember: Deny by default, validate inputs, least privilege, and secure-by-configuration first.

返回排行榜