Spring Boot Security Jwt

Name: Spring Boot Security Jwt
Author: giuseppe-trisciuoglio

giuseppe-trisciuoglio/developer-kit

Implement stateless JWT login, refresh rotation, and method-level RBAC on a Spring Boot 3.5.x REST API.

Overview

spring-boot-security-jwt is an agent skill for the Build phase that implements JWT authentication and RBAC authorization patterns for Spring Boot 3.5.x REST APIs.

Install

npx skills add https://github.com/giuseppe-trisciuoglio/developer-kit --skill spring-boot-security-jwt

What is this skill?

Access and refresh token flows with JJWT 0.12.6 and configurable expiration
Bearer header and HttpOnly cookie authentication strategies
Spring Security 6.x SecurityFilterChain setup for Spring Boot 3.5.x
RBAC and permission-based @PreAuthorize with JPA and OAuth2 integration patterns
Token revocation, blacklisting, and refresh rotation for logout-safe stateless auth
Targets Spring Boot 3.5.x with Spring Security 6.x
Documents JJWT 0.12.6 for token generation

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 1.4k installs on skills.sh; 271 GitHub stars; 2/3 security scanners passed (skills.sh audits).

What problem does it solve?

You need a stateless Spring Boot API secured with tokens, refresh rotation, and role rules without piecing together outdated Security 5 examples.

Who is it for?

Indie backend devs shipping Java APIs on Spring Boot 3.5.x who want Bearer or cookie JWT flows with refresh and method-level permissions.

Skip if: Non-Spring stacks, session-only auth without tokens, or teams that only need a high-level security checklist with no implementation.

When should I use this skill?

Implement JWT authentication, secure REST API with tokens, Spring Security 6.x configuration, SecurityFilterChain setup, or role-based access control in Spring Boot.

What do I get? / Deliverables

You get a coherent JWT + Spring Security 6.x layout—token service, filter chain, and @PreAuthorize rules aligned with your user store or OAuth2 provider.

SecurityFilterChain and JWT filter configuration
Token issuance, validation, and refresh rotation services
Method-level @PreAuthorize RBAC or permission rules on API surface

Recommended Skills

Entra App Registrationmicrosoft/azure-skills

Walkthrough for Microsoft Entra ID app registration, OAuth configuration, and MSAL-based authentication setup.374k installs·1.2k stars

Azure Aigatewaymicrosoft/azure-skills

Quick reference for building and operating Azure API Management as an AI gateway using ARM .NET SDK and policy best prac…373k installs·1.2k stars

Lark Openapi Explorerlarksuite/cli

Escalation path for uncovered Lark/Feishu APIs: browse official OpenAPI docs and execute via lark-cli.208k installs·13.7k stars

Supabasesupabase/agent-skills

Authoritative Supabase agent skill for database, auth, edge functions, and client SSR with emphasis on up-to-date docs, …111k installs·2.2k stars

Firebase Auth Basicsfirebase/agent-skills

firebase-auth-basics is a guided agent skill for solo builders implementing Firebase Authentication in web or mobile-bac…75.7k installs·345 stars

Firebase Data Connectfirebase/agent-skills

Firebase Data Connect is an agent skill that equips solo builders to design relational data layers on Firebase using Gra…73.2k installs·345 stars

Journey fit

Primary fit

BuildBackend, data & payments

Build is where authentication and authorization code lands in the product backend before you ship hardened APIs. Backend is the natural shelf for SecurityFilterChain, token services, and @PreAuthorize on controllers and services.

How it compares

Implementation-pattern skill for Spring JWT wiring—not a hosted auth SaaS and not a generic OWASP audit checklist.

Common Questions / FAQ

Who is spring-boot-security-jwt for?

Solo builders and small teams building Spring Boot REST services who need token auth, refresh handling, and RBAC in code.

When should I use spring-boot-security-jwt?

During Build backend work when you implement JWT authentication, configure SecurityFilterChain, or add @PreAuthorize role and permission rules.

Is spring-boot-security-jwt safe to install?

It can edit project files and run Bash; review the Security Audits panel on this page and never commit real signing secrets from generated samples.

SKILL.md

READMESKILL.md - Spring Boot Security Jwt

# Spring Boot JWT Security

JWT authentication and authorization patterns for Spring Boot 3.5.x using Spring Security 6.x and JJWT. Covers token generation, validation, refresh strategies, RBAC/ABAC, and OAuth2 integration.

## Overview

This skill provides implementation patterns for stateless JWT authentication in Spring Boot applications. It covers the complete authentication flow including token generation with JJWT 0.12.6, Bearer/cookie-based authentication, refresh token rotation, and method-level authorization with `@PreAuthorize` expressions.

Key capabilities:
- Access and refresh token generation with configurable expiration
- Bearer token and HttpOnly cookie authentication strategies
- Integration with Spring Data JPA and OAuth2 providers
- RBAC with role/permission-based `@PreAuthorize` rules
- Token revocation and blacklisting for logout/rotation

## When to Use

Activate when user requests involve:
- "Implement JWT authentication", "secure REST API with tokens"
- "Spring Security 6.x configuration", "SecurityFilterChain setup"
- "Role-based access control", "RBAC", `` `@PreAuthorize` ``
- "Refresh token", "token rotation", "token revocation"
- "OAuth2 integration", "social login", "Google/GitHub auth"
- "Stateless authentication", "SPA backend security"
- "JWT filter", "OncePerRequestFilter", "Bearer token"
- "Cookie-based JWT", "HttpOnly cookie"
- "Permission-based access control", "custom PermissionEvaluator"

## Quick Reference

### Dependencies (JJWT 0.12.6)

| Artifact | Scope |
|----------|-------|
| `spring-boot-starter-security` | compile |
| `spring-boot-starter-oauth2-resource-server` | compile |
| `io.jsonwebtoken:jjwt-api:0.12.6` | compile |
| `io.jsonwebtoken:jjwt-impl:0.12.6` | runtime |
| `io.jsonwebtoken:jjwt-jackson:0.12.6` | runtime |
| `spring-security-test` | test |

See [references/jwt-quick-reference.md](references/jwt-quick-reference.md) for Maven and Gradle snippets.

### Key Configuration Properties

| Property | Example Value | Notes |
|----------|--------------|-------|
| `jwt.secret` | `${JWT_SECRET}` | Min 256 bits, never hardcode |
| `jwt.access-token-expiration` | `900000` | 15 min in milliseconds |
| `jwt.refresh-token-expiration` | `604800000` | 7 days in milliseconds |
| `jwt.issuer` | `my-app` | Validated on every token |
| `jwt.cookie-name` | `jwt-token` | For cookie-based auth |
| `jwt.cookie-http-only` | `true` | Always true in production |
| `jwt.cookie-secure` | `true` | Always true with HTTPS |

### Authorization Annotations

| Annotation | Example |
|-----------|---------|
| `@PreAuthorize("hasRole('ADMIN')")` | Role check |
| `@PreAuthorize("hasAuthority('USER_READ')")` | Permission check |
| `@PreAuthorize("hasPermission(#id, 'Doc', 'READ')")` | Domain object check |
| `@PreAuthorize("@myService.canAccess(#id)")` | Spring bean check |

## Instructions

### Step 1 — Add Dependencies

Include `spring-boot-starter-security`, `spring-boot-starter-oauth2-resource-server`, and the three JJWT artifacts in your build file. See [references/jwt-quick-reference.md](references/jwt-quick-reference.md) for exact Maven/Gradle snippets.

### Step 2 — Configure application.yml

```yaml
jwt:
  secret: ${JWT_SECRET:change-me-min-32-chars-in-production}
  access-token-expiration: 900000
  refresh-token-expiration: 604800000
  issuer: my-app
  cookie-name: jwt-token
  cookie-http-only: true
  cookie-secure: false   # true in production
```

See [references/jwt-complete-configuration.md](references/jwt-complete-configuration.md) for the full properties reference.

### Ste

What is this skill?

Access and refresh token flows with JJWT 0.12.6 and configurable expiration

Bearer header and HttpOnly cookie authentication strategies

Spring Security 6.x SecurityFilterChain setup for Spring Boot 3.5.x

RBAC and permission-based @PreAuthorize with JPA and OAuth2 integration patterns

Token revocation, blacklisting, and refresh rotation for logout-safe stateless auth

Targets Spring Boot 3.5.x with Spring Security 6.x

Documents JJWT 0.12.6 for token generation

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 1.4k installs on skills.sh; 271 GitHub stars; 2/3 security scanners passed (skills.sh audits).

What do I get? / Deliverables

You get a coherent JWT + Spring Security 6.x layout—token service, filter chain, and @PreAuthorize rules aligned with your user store or OAuth2 provider.

SecurityFilterChain and JWT filter configuration

Token issuance, validation, and refresh rotation services

Method-level @PreAuthorize RBAC or permission rules on API surface

Journey fit

Primary fit

BuildBackend, data & payments

SKILL.md

READMESKILL.md - Spring Boot Security Jwt

# Spring Boot JWT Security

JWT authentication and authorization patterns for Spring Boot 3.5.x using Spring Security 6.x and JJWT. Covers token generation, validation, refresh strategies, RBAC/ABAC, and OAuth2 integration.

## Overview

This skill provides implementation patterns for stateless JWT authentication in Spring Boot applications. It covers the complete authentication flow including token generation with JJWT 0.12.6, Bearer/cookie-based authentication, refresh token rotation, and method-level authorization with `@PreAuthorize` expressions.

Key capabilities:
- Access and refresh token generation with configurable expiration
- Bearer token and HttpOnly cookie authentication strategies
- Integration with Spring Data JPA and OAuth2 providers
- RBAC with role/permission-based `@PreAuthorize` rules
- Token revocation and blacklisting for logout/rotation

## When to Use

Activate when user requests involve:
- "Implement JWT authentication", "secure REST API with tokens"
- "Spring Security 6.x configuration", "SecurityFilterChain setup"
- "Role-based access control", "RBAC", `` `@PreAuthorize` ``
- "Refresh token", "token rotation", "token revocation"
- "OAuth2 integration", "social login", "Google/GitHub auth"
- "Stateless authentication", "SPA backend security"
- "JWT filter", "OncePerRequestFilter", "Bearer token"
- "Cookie-based JWT", "HttpOnly cookie"
- "Permission-based access control", "custom PermissionEvaluator"

## Quick Reference

### Dependencies (JJWT 0.12.6)

| Artifact | Scope |
|----------|-------|
| `spring-boot-starter-security` | compile |
| `spring-boot-starter-oauth2-resource-server` | compile |
| `io.jsonwebtoken:jjwt-api:0.12.6` | compile |
| `io.jsonwebtoken:jjwt-impl:0.12.6` | runtime |
| `io.jsonwebtoken:jjwt-jackson:0.12.6` | runtime |
| `spring-security-test` | test |

See [references/jwt-quick-reference.md](references/jwt-quick-reference.md) for Maven and Gradle snippets.

### Key Configuration Properties

| Property | Example Value | Notes |
|----------|--------------|-------|
| `jwt.secret` | `${JWT_SECRET}` | Min 256 bits, never hardcode |
| `jwt.access-token-expiration` | `900000` | 15 min in milliseconds |
| `jwt.refresh-token-expiration` | `604800000` | 7 days in milliseconds |
| `jwt.issuer` | `my-app` | Validated on every token |
| `jwt.cookie-name` | `jwt-token` | For cookie-based auth |
| `jwt.cookie-http-only` | `true` | Always true in production |
| `jwt.cookie-secure` | `true` | Always true with HTTPS |

### Authorization Annotations

| Annotation | Example |
|-----------|---------|
| `@PreAuthorize("hasRole('ADMIN')")` | Role check |
| `@PreAuthorize("hasAuthority('USER_READ')")` | Permission check |
| `@PreAuthorize("hasPermission(#id, 'Doc', 'READ')")` | Domain object check |
| `@PreAuthorize("@myService.canAccess(#id)")` | Spring bean check |

## Instructions

### Step 1 — Add Dependencies

Include `spring-boot-starter-security`, `spring-boot-starter-oauth2-resource-server`, and the three JJWT artifacts in your build file. See [references/jwt-quick-reference.md](references/jwt-quick-reference.md) for exact Maven/Gradle snippets.

### Step 2 — Configure application.yml

```yaml
jwt:
  secret: ${JWT_SECRET:change-me-min-32-chars-in-production}
  access-token-expiration: 900000
  refresh-token-expiration: 604800000
  issuer: my-app
  cookie-name: jwt-token
  cookie-http-only: true
  cookie-secure: false   # true in production
```

See [references/jwt-complete-configuration.md](references/jwt-complete-configuration.md) for the full properties reference.

### Ste

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is spring-boot-security-jwt for?

When should I use spring-boot-security-jwt?

Is spring-boot-security-jwt safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is spring-boot-security-jwt for?

When should I use spring-boot-security-jwt?

Is spring-boot-security-jwt safe to install?

SKILL.md