Jeden Skill in Manus ausführen
mit einem Klick

Jeden Skill in Manus mit einem Klick ausführen

springboot-security

Sterne0

Forks0

Aktualisiert1. April 2026 um 15:10

Use when configuring Spring Security, implementing JWT/OAuth2 auth, adding role-based access control, or hardening Spring Boot APIs. Do NOT use for general patterns (use springboot-patterns), JPA (use jpa-patterns), or testing (use springboot-tdd).

Installation

Mit Codex oder Claude installieren Kopieren Sie diesen Prompt, fügen Sie ihn in Codex, Claude oder einen anderen Assistant ein und lassen Sie die Skill-Seite prüfen und installieren.

In Manus ausführen

Quelle

sskim91

sskim91/dotfiles

GitHub-Repository öffnen Creator-Repositorys ansehen

Download

In Manus ausführen

Verwandte BerufeSOC

Basierend auf der SOC-Berufsklassifikation

SoftwareentwicklerInformatik- und Mathematikberufe·SOC 15-1252

SKILL.md

readonly

Mehr aus diesem Repository

gleiches Repository

genos-knowledge-capture

sskim91/dotfiles

Use when GenOS 작업에서 얻은 재사용 가능한 지식(플랫폼 패턴·함정·고객사 결정)을 개인 Obsidian vault(Projects/GenonAI)에 기록할 가치가 생겼거나, GenOS 작업 맥락에서 사용자가 "지식 캡처", "vault에 정리/기록", "MOC", "읽는 순서", "field note", "/genos-knowledge-capture"를 요청할 때 사용. Do NOT use for: GenOS와 무관한 노트, 웹 리서치 기반 일반 개념 노트, 단순 진행상황·세션 상태.

2026-06-210

wiki-compiler

sskim91/dotfiles

Use when user says "wiki compile", "위키 컴파일", "raw 정리", "지식 컴파일", "소스 컴파일", or wants to compile raw sources into a structured wiki. Do NOT use for individual note creation (use obsidian-note) or vault maintenance (use vault-linter).

2026-06-160

vault-linter

sskim91/dotfiles

Use when user says "vault lint", "노트 점검", "vault 정리", "orphan notes", "링크 점검", or wants to check Obsidian vault health. Do NOT use for individual note creation (use obsidian-note) or tag management (use til-tagger).

2026-06-160

excalidraw-diagram

sskim91/dotfiles

Create Excalidraw diagram JSON files that make visual arguments. Use when the user wants to visualize workflows, architectures, or concepts. Use when user says "다이어그램", "diagram", "excalidraw", "시각화", "아키텍처 그려". Do NOT use for Mermaid diagrams or draw.io.

2026-06-160

obsidian-note

sskim91/dotfiles

Use when user mentions "Obsidian", "옵시디언", "write as note", "save to notes", "노트로 저장", or /obsidian-note command. Do NOT use for TIL (use til), YouTube notes (use youtube-summarizer), GenOS 작업 지식 캡처 (use genos-knowledge-capture), or deep/team/multi-angle note research (use agentic-notes).

2026-06-070

agentic-notes

sskim91/dotfiles

Use when the user asks to create an Obsidian note with an agent team, deep research, strict verification, multiple angles, or phrases like "팀으로 조사해서 노트", "깊게 조사해서 옵시디언 노트", "/agentic-notes", "--team", "--verify strict", or "--deep". Do NOT use for a simple one-shot Obsidian note; use obsidian-note instead.

2026-06-070

name	springboot-security
description	Use when configuring Spring Security, implementing JWT/OAuth2 auth, adding role-based access control, or hardening Spring Boot APIs. Do NOT use for general patterns (use springboot-patterns), JPA (use jpa-patterns), or testing (use springboot-tdd).
paths	*/.java, */build.gradle, /pom.xml, /application.yml, /application.properties

Spring Boot Security Patterns

Spring Security 6+ with lambda DSL. Deny by default, validate inputs, least privilege.

When to Activate

SecurityFilterChain 구성
JWT / OAuth2 인증 구현
@PreAuthorize 인가 규칙 추가
CORS, CSRF, 보안 헤더 설정
비밀번호 인코딩, 시크릿 관리
Rate limiting, 의존성 보안 스캔

CRITICAL Rules

Deny by default — 명시적으로 허용한 경로만 접근 가능
Never store plaintext passwords — BCrypt(12+) 또는 Argon2 사용
Never hardcode secrets — ${ENV_VAR} 또는 Vault
Never trust X-Forwarded-For directly — ForwardedHeaderFilter + trusted proxy 설정 필수
Never concatenate SQL strings — parameterized query 또는 Spring Data 사용
Never log tokens, passwords, PII — 구조화된 로깅에서 민감 필드 제외

SecurityFilterChain (Spring Security 6+)

@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http,
            JwtAuthFilter jwtAuthFilter) throws Exception {
        return http
            .csrf(csrf -> csrf.disable()) // Stateless API — CSRF not needed
            .sessionManagement(sm ->
                sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/api/auth/**", "/actuator/health").permitAll()
                .requestMatchers("/api/admin/**").hasRole("ADMIN")
                .anyRequest().authenticated())
            .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class)
            .headers(headers -> headers
                .contentSecurityPolicy(csp ->
                    csp.policyDirectives("default-src 'self'"))
                .frameOptions(HeadersConfigurer.FrameOptionsConfig::deny))
            .cors(cors -> cors.configurationSource(corsConfigurationSource()))
            .build();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder(12);
    }
}

JWT Authentication

Approach 1: OAuth2 Resource Server (PREFERRED)

외부 IdP(Keycloak, Auth0, Okta) 또는 자체 발급 JWT를 검증할 때 공식 권장 방식. Spring Boot가 JwtDecoder를 자동 구성하므로 커스텀 필터가 불필요하다.

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http
        .csrf(csrf -> csrf.disable())
        .sessionManagement(sm ->
            sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
        .authorizeHttpRequests(auth -> auth
            .requestMatchers("/api/auth/**", "/actuator/health").permitAll()
            .requestMatchers("/api/admin/**").hasRole("ADMIN")
            .anyRequest().authenticated())
        .oauth2ResourceServer(oauth2 -> oauth2
            .jwt(Customizer.withDefaults()))
        .build();
}

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://auth.example.com/realms/myapp
          # 또는 자체 서명 키:
          # public-key-location: classpath:public.pem

Spring Boot가 자동으로 JWT 서명 검증, iss/exp/aud 클레임 검증, scope→authority 매핑을 처리한다.

Approach 2: Custom JWT Filter (자체 토큰 발급 시)

OAuth2 인프라 없이 직접 JWT를 발급/검증해야 할 때만 사용:

@Component
public class JwtAuthFilter extends OncePerRequestFilter {
    private final JwtService jwtService;
    private final UserDetailsService userDetailsService;

    public JwtAuthFilter(JwtService jwtService, UserDetailsService userDetailsService) {
        this.jwtService = jwtService;
        this.userDetailsService = userDetailsService;
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request,
            HttpServletResponse response, FilterChain chain)
            throws ServletException, IOException {
        String header = request.getHeader(HttpHeaders.AUTHORIZATION);
        if (header == null || !header.startsWith("Bearer ")) {
            chain.doFilter(request, response);
            return;
        }

        String token = header.substring(7);
        String username = jwtService.extractUsername(token);

        if (username != null
                && SecurityContextHolder.getContext().getAuthentication() == null) {
            UserDetails user = userDetailsService.loadUserByUsername(username);
            if (jwtService.isValid(token, user)) {
                var auth = new UsernamePasswordAuthenticationToken(
                    user, null, user.getAuthorities());
                auth.setDetails(new WebAuthenticationDetailsSource()
                    .buildDetails(request));
                SecurityContextHolder.getContext().setAuthentication(auth);
            }
        }
        chain.doFilter(request, response);
    }
}

JWT Service

@Service
public class JwtService {
    @Value("${app.jwt.secret}")
    private String secret;

    @Value("${app.jwt.expiration:PT1H}")
    private Duration expiration;

    public String generateToken(UserDetails user) {
        return Jwts.builder()
            .subject(user.getUsername())
            .issuedAt(new Date())
            .expiration(Date.from(Instant.now().plus(expiration)))
            .signWith(getSigningKey())
            .compact();
    }

    public String extractUsername(String token) {
        return extractClaim(token, Claims::getSubject);
    }

    public boolean isValid(String token, UserDetails user) {
        return extractUsername(token).equals(user.getUsername())
            && !isExpired(token);
    }

    private SecretKey getSigningKey() {
        return Keys.hmacShaKeyFor(Decoders.BASE64.decode(secret));
    }
}

JWT Role Mapping (Custom Claims)

IdP의 JWT에 커스텀 roles 클레임이 있을 때:

@Bean
public JwtAuthenticationConverter jwtAuthConverter() {
    JwtGrantedAuthoritiesConverter converter = new JwtGrantedAuthoritiesConverter();
    converter.setAuthorityPrefix("ROLE_");
    converter.setAuthoritiesClaimName("roles"); // JWT의 roles 클레임 매핑

    JwtAuthenticationConverter authConverter = new JwtAuthenticationConverter();
    authConverter.setJwtGrantedAuthoritiesConverter(converter);
    return authConverter;
}

// SecurityFilterChain에서 사용
.oauth2ResourceServer(oauth2 -> oauth2
    .jwt(jwt -> jwt.jwtAuthenticationConverter(jwtAuthConverter())))

Method Security

@RestController
@RequestMapping("/api/orders")
public class OrderController {

    @PreAuthorize("hasRole('ADMIN')")
    @GetMapping
    public List<OrderDto> listAll() { /* ... */ }

    @PreAuthorize("@authz.isOwner(#id, authentication)")
    @GetMapping("/{id}")
    public OrderDto getById(@PathVariable Long id) { /* ... */ }

    @PreAuthorize("hasAnyRole('ADMIN', 'MANAGER')")
    @DeleteMapping("/{id}")
    public ResponseEntity<Void> delete(@PathVariable Long id) { /* ... */ }
}

@Component("authz")
public class AuthorizationService {
    private final OrderRepository orderRepo;

    public boolean isOwner(Long orderId, Authentication auth) {
        return orderRepo.findById(orderId)
            .map(order -> order.getUserId().equals(getUserId(auth)))
            .orElse(false);
    }
}

CORS Configuration

@Bean
public CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration config = new CorsConfiguration();
    config.setAllowedOrigins(List.of("https://app.example.com"));
    config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE"));
    config.setAllowedHeaders(List.of("Authorization", "Content-Type"));
    config.setAllowCredentials(true);
    config.setMaxAge(3600L);

    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/api/**", config);
    return source;
}

Rules:

Production에서 * origin 금지
allowCredentials(true) 사용 시 specific origin 필수
Security filter level에서 설정 (controller-level 아님)

CSRF Strategy

App Type	CSRF	Reason
Stateless API (JWT/Bearer)	Disable	Token itself prevents CSRF
Session-based web app	Enable	Browser auto-sends cookies
Mixed (API + web)	Enable for web paths	Selective protection

// Stateless API
http.csrf(csrf -> csrf.disable());

// Session-based with SPA
http.csrf(csrf -> csrf
    .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
    .csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler()));

Secrets Management

# BAD
spring:
  datasource:
    password: mySecretPassword123

# GOOD: Environment variable
spring:
  datasource:
    password: ${DB_PASSWORD}

# GOOD: Spring Cloud Vault
spring:
  cloud:
    vault:
      uri: https://vault.example.com
      token: ${VAULT_TOKEN}
      kv:
        backend: secret
        default-context: myapp

Rate Limiting

@Component
public class RateLimitFilter extends OncePerRequestFilter {
    private final Map<String, Bucket> buckets = new ConcurrentHashMap<>();

    @Override
    protected void doFilterInternal(HttpServletRequest request,
            HttpServletResponse response, FilterChain chain)
            throws ServletException, IOException {
        // SECURITY: getRemoteAddr() is correct only when ForwardedHeaderFilter
        // is configured with trusted proxy. See springboot-patterns for details.
        String clientIp = request.getRemoteAddr();
        Bucket bucket = buckets.computeIfAbsent(clientIp, k ->
            Bucket.builder()
                .addLimit(Bandwidth.classic(100,
                    Refill.greedy(100, Duration.ofMinutes(1))))
                .build());

        if (bucket.tryConsume(1)) {
            chain.doFilter(request, response);
        } else {
            response.setStatus(HttpStatus.TOO_MANY_REQUESTS.value());
            response.setContentType(MediaType.APPLICATION_JSON_VALUE);
            response.getWriter().write(
                "{\"type\":\"about:blank\",\"title\":\"Too Many Requests\",\"status\":429}");
        }
    }
}

Input Validation

// BAD: No validation
@PostMapping("/users")
public User create(@RequestBody UserDto dto) { return userService.create(dto); }

// GOOD: Validated DTO
public record CreateUserRequest(
    @NotBlank @Size(max = 100) String name,
    @NotBlank @Email String email,
    @NotNull @Min(0) @Max(150) Integer age) {}

@PostMapping("/users")
public ResponseEntity<UserDto> create(@Valid @RequestBody CreateUserRequest req) {
    return ResponseEntity.status(HttpStatus.CREATED).body(userService.create(req));
}

SQL Injection Prevention

// BAD: String concatenation
@Query(value = "SELECT * FROM users WHERE name = '" + name + "'", nativeQuery = true)

// GOOD: Parameterized query
@Query(value = "SELECT * FROM users WHERE name = :name", nativeQuery = true)
List<User> findByName(@Param("name") String name);

// GOOD: Spring Data derived query (auto-parameterized)
List<User> findByEmailAndActiveTrue(String email);

HTTPS Enforcement

# application.yml — SSL 설정
server:
  port: 8443
  ssl:
    bundle: my-server   # SSL Bundles (Spring Boot 3.1+)
    # 또는 전통적 방식:
    # key-store: classpath:keystore.p12
    # key-store-password: ${SSL_KEYSTORE_PASSWORD}
    # key-store-type: PKCS12

HTTP → HTTPS 리다이렉트:

// SecurityFilterChain 내에서
http.requiresChannel(channel ->
    channel.anyRequest().requiresSecure());

Security Checklist

Gotchas

❌ permitAll()을 requestMatchers() 전에 선언 → 순서 중요, 구체적 매칭 먼저
❌ @PreAuthorize에서 하드코딩된 role 문자열 → 상수 또는 enum 사용
❌ JWT 비밀키를 application.yml에 직접 작성 → 환경변수 필수
❌ CORS 설정에서 allowedOrigins("*") → 명시적 도메인 지정

References

Spring Security Reference — Official documentation
Spring Security OAuth2 Resource Server — JWT validation
Spring Boot Security Properties — All security properties
Baeldung: Spring Security — Tutorials