Spring Security Configuration
Generate Spring Security JWT authentication converter helper code for OAuth2 resource servers with Keycloak or AWS Cognito claim conventions.
Overview
spring-security-configuration is an agent skill for the Build phase that generates Spring Security JWT authentication converter helper methods for OAuth2 resource servers.
Install
npx skills add https://github.com/amplicode/spring-skills --skill spring-security-configurationWhat is this skill?
- Package-private jwtAuthenticationConverter() helper—not a @Bean—wired via filterChain
- JwtGrantedAuthoritiesConverter with configurable claim name and ROLE_ prefix
- Provider-derived defaults: roles claim for KEYCLOAK, cognito:groups for AWS_COGNITO
- Converter block only generated when generateConverter=true and provider is KEYCLOAK or AWS_COGNITO
- Documents insert point inside the configuration class body
- Helper is package-private and explicitly not a @Bean
- Default claim names: roles for KEYCLOAK and cognito:groups for AWS_COGNITO when converter generation is enabled
Adoption & trust: 1 installs on skills.sh; 54 GitHub stars; 2/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).
What problem does it solve?
You are wiring Spring Security JWT resource-server auth but keep misconfiguring authority claims or @Bean placement for JwtAuthenticationConverter.
Who is it for?
Indie developers and small teams on Spring Boot adding JWT login with Keycloak or AWS Cognito group/role claims.
Skip if: Greenfield projects that need full filter chains, method security, or providers outside KEYCLOAK and AWS_COGNITO converter generation paths.
When should I use this skill?
User is implementing or fixing Spring Security OAuth2 JWT resource-server configuration with Keycloak or AWS Cognito authority claims.
What do I get? / Deliverables
You get paste-ready Java for jwtAuthenticationConverter() with provider-appropriate claim names and ROLE_ mapping inside your security configuration class.
- jwtAuthenticationConverter() helper method with JwtGrantedAuthoritiesConverter settings
- Documented claimName variable mapping for the selected provider
Recommended Skills
Journey fit
Canonical shelf is Build because the skill emits Java configuration helpers you paste into a live Spring app, not a one-off audit report. Backend subphase matches JWT converter methods wired inside SecurityFilterChain for resource-server APIs.
How it compares
Use as a focused codegen snippet for JWT authority mapping—not a full Spring Security tutorial or infrastructure provisioning skill.
Common Questions / FAQ
Who is spring-security-configuration for?
Solo builders and backend developers maintaining Spring APIs who already use OAuth2 resource-server JWT and need accurate authority extraction from token claims.
When should I use spring-security-configuration?
Use it during Build backend work when you add or fix JwtAuthenticationConverter wiring in a SecurityFilterChain for Keycloak roles or Cognito groups claims.
Is spring-security-configuration safe to install?
Check the Security Audits panel on this Prism page and review generated code before merge; the skill only suggests configuration patterns and does not run deployments.
SKILL.md
READMESKILL.md - Spring Security Configuration
# JWT Authentication Converter helper method (Java) ## Insert Point As a package-private helper method in the configuration class body. **NOT a @Bean** — called directly from filterChain via `.jwtAuthenticationConverter(jwtAuthenticationConverter())`. ## Code ```java // defaults: not generated (generateConverter=false) // Only generated when generateConverter=true AND provider is KEYCLOAK or AWS_COGNITO org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter jwtAuthenticationConverter() { org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter grantedAuthoritiesConverter = new org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter(); grantedAuthoritiesConverter.setAuthoritiesClaimName("{claimName}"); grantedAuthoritiesConverter.setAuthorityPrefix("ROLE_"); org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter jwtAuthenticationConverter = new org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter(); jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(grantedAuthoritiesConverter); return jwtAuthenticationConverter; } ``` ## Variables | Variable | Source | Default | |----------|--------|---------| | `{claimName}` | derived from provider | `"roles"` for KEYCLOAK, `"cognito:groups"` for AWS_COGNITO | # JWT Authentication Converter helper method (Kotlin) ## Insert Point As a private/internal helper method in the configuration class body. **NOT a @Bean** — called directly from filterChain via `.jwtAuthenticationConverter(jwtAuthenticationConverter())`. ## Code ```kotlin // defaults: not generated (generateConverter=false) // Only generated when generateConverter=true AND provider is KEYCLOAK or AWS_COGNITO // NOT @Bean — helper method called directly from filterChain fun jwtAuthenticationConverter(): org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter { val grantedAuthoritiesConverter: org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter = org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter() grantedAuthoritiesConverter.setAuthoritiesClaimName("{claimName}") grantedAuthoritiesConverter.setAuthorityPrefix("ROLE_") val jwtAuthenticationConverter: org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter = org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter() jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(grantedAuthoritiesConverter) return jwtAuthenticationConverter } ``` ## Variables | Variable | Source | Default | |----------|--------|---------| | `{claimName}` | derived from provider | `"roles"` for KEYCLOAK, `"cognito:groups"` for AWS_COGNITO | # LDAP Authentication Manager bean (Java) ## Insert Point As @Bean method in the configuration class body. ## Code ```java // defaults: BIND authentication, NO_AUTHORITIES // BIND authentication type: @org.springframework.context.annotation.Bean org.springframework.security.authentication.AuthenticationManager ldapAuthenticationManager() { org.springframework.security.config.ldap.LdapBindAuthenticationManagerFactory factory = new org.springframework.security.config.ldap.LdapBindAuthenticationManagerFactory(contextSource()); factory.setUserDnPatterns({ldapUserDnPatternsField}); factory.setLdapAuthoritiesPopulator({ldapAuthoritiesPopulatorRef}); // if authorities populator is set factory.setAuthoritiesMapper({authoritiesMapperRef}); // if authoritiesMapper is set factory.setUserDetailsContextMapper({userDetailsContextMapperRef}); // if userDetailsContextMapper is set return factory.createAuthenticationManager(); } // PASSWORD authentication type: @org.s