← ClaudeAtlas

spring-securitylisted

Spring Boot security review — Spring Security config (SecurityFilterChain), OAuth2/OIDC client and resource-server, method-level @PreAuthorize, JWT validation, actuator endpoint lockdown, CSRF model for web vs API, and recent Spring CVE patterns (Spring4Shell, SpEL injection, authorization bypasses).
roodlicht/accans-sec-skills · ★ 4 · API & Backend · score 65
Install: claude install-skill roodlicht/accans-sec-skills
# Spring Boot Security ## When to use This skill is the Spring-specific layer on top of `secure-coding` and `api-security`. Spring Security is powerful and exactly therefore foot-gun-rich: small letters in the config decide whether your app is safe or wide open. Triggers on: - A question like "review our Spring Security config", "OAuth2 client setup", "lock down actuator endpoints", "JWT validation on a Spring Resource Server", "@PreAuthorize review". - Presence of `spring-boot-starter-security`, `spring-security-oauth2-client`, `SecurityFilterChain` beans, `@EnableWebSecurity`, `@PreAuthorize`/`@PostAuthorize` annotations, `application.yml` with `spring.security.*` or `management.*`. - A PR that touches `.permitAll()`, `.disable()` on CSRF/CORS, custom `AuthenticationProvider`, `UserDetailsService`, or a JWT filter. - Spring version bumps around security releases. - A handoff from `security-review` or `api-security` where Spring is in the stack. ### When NOT (handoff) - General Java secure-coding → `secure-coding`. - API design and OWASP API Top 10 — large overlap, but that skill is framework-agnostic. Use `api-security` for conceptual questions (what is IDOR, how do you validate a schema), this skill for Spring-specific implementation. - SAST with Semgrep `p/java-spring` or CodeQL → `sast-orchestrator`. - Dep vulns (incl. Log4Shell-class vulns in transitive deps) → `cve-triage`. - Infra around Spring (Kubernetes deploy, container image) → `container-hardening` + `k8s-