springboot-security

# Spring Boot Security Review Use when adding auth, handling input, creating endpoints, or dealing with secrets. ## Authentication - Prefer stateless JWT or opaque tokens with revocation list - Use `httpOnly`, `Secure`, `SameSite=Strict` cookies for sessions - Validate tokens with `OncePerRequestFilter` or resource server ```java @Component public class JwtAuthFilter extends OncePerRequestFilter { private final JwtService jwtService; public JwtAuthFilter(JwtService jwtService) { this.jwtService = jwtService; } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { String header = request.getHeader(HttpHeaders.AUTHORIZATION); if (header != null && header.startsWith("Bearer ")) { String token = header.substring(7); Authentication auth = jwtService.authenticate(token); SecurityContextHolder.getContext().setAuthentication(auth); } chain.doFilter(request, response); } } ``` ## Authorization - Enable method security: `@EnableMethodSecurity` - Use `@PreAuthorize("hasRole('ADMIN')")` or `@PreAuthorize("@authz.canEdit(#id)")` - Deny by default; expose only required scopes ## Input Validation - Use Bean Validation with `@Valid` on controllers - Apply constraints on DTOs: `@NotBlank`, `@Email`, `@Size`, custom validators - Sanitize any HTML with a whitelist before rendering #...