// Use when adding CoSec to a Spring Boot application, choosing WebFlux/WebMVC/Gateway modules, configuring JWT authentication, authorization filters, local policies, Redis policy caching, social login, IP enrichment, OpenAPI, or OpenTelemetry integration.
Use when extending CoSec policy matching with custom ActionMatcher or ConditionMatcher implementations, condition types, matcher factories, ServiceLoader SPI registration, or Spring bean matcher registration.
Use when writing, validating, explaining, or debugging CoSec policy JSON, policy statements, ALLOW/DENY rules, action matchers, condition matchers, role-based authorization, tenant scoping, or rate limiting policies.
Use when diagnosing CoSec authentication or authorization failures such as unexpected 401/403 responses, denied requests that should be allowed, policies not loading, JWT token rejection, matcher mismatches, or unclear access decisions.
| name | cosec-integration |
| description | Use when adding CoSec to a Spring Boot application, choosing WebFlux/WebMVC/Gateway modules, configuring JWT authentication, authorization filters, local policies, Redis policy caching, social login, IP enrichment, OpenAPI, or OpenTelemetry integration. |
This skill guides you through integrating CoSec into a Spring Boot application. CoSec is a reactive, multi-tenant RBAC + Policy-based security framework built on Spring Boot and Project Reactor.
CoSec modules are published to Maven Central under the me.ahoo.cosec group. Use the BOM for version management.
// gradle/libs.versions.toml
[versions]
cosec = "4.3.6" // check latest at https://central.sonatype.com/artifact/me.ahoo.cosec/cosec-bom
[libraries]
cosec-bom = { module = "me.ahoo.cosec:cosec-bom", version.ref = "cosec" }
cosec-spring-boot-starter = { module = "me.ahoo.cosec:cosec-spring-boot-starter" }
cosec-webflux = { module = "me.ahoo.cosec:cosec-webflux" }
cosec-webmvc = { module = "me.ahoo.cosec:cosec-webmvc" }
cosec-gateway = { module = "me.ahoo.cosec:cosec-gateway" }
cosec-jwt = { module = "me.ahoo.cosec:cosec-jwt" }
cosec-cocache = { module = "me.ahoo.cosec:cosec-cocache" }
cosec-social = { module = "me.ahoo.cosec:cosec-social" }
cosec-ip2region = { module = "me.ahoo.cosec:cosec-ip2region" }
cosec-opentelemetry = { module = "me.ahoo.cosec:cosec-opentelemetry" }
cosec-openapi = { module = "me.ahoo.cosec:cosec-openapi" }
// build.gradle.kts
dependencies {
implementation(platform(libs.cosec.bom))
implementation(libs.cosec.spring.boot.starter)
implementation(libs.cosec.webflux) // for WebFlux apps
// implementation(libs.cosec.webmvc) // for Servlet apps
// implementation(libs.cosec.gateway) // for Spring Cloud Gateway
implementation(libs.cosec.jwt) // JWT token handling
// implementation(libs.cosec.cocache) // Redis policy caching
}
<dependencyManagement>
<dependencies>
<dependency>
<groupId>me.ahoo.cosec</groupId>
<artifactId>cosec-bom</artifactId>
<version>4.3.6</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>me.ahoo.cosec</groupId>
<artifactId>cosec-spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>me.ahoo.cosec</groupId>
<artifactId>cosec-webflux</artifactId>
</dependency>
<dependency>
<groupId>me.ahoo.cosec</groupId>
<artifactId>cosec-jwt</artifactId>
</dependency>
</dependencies>
| Use Case | Required Modules |
|---|---|
| Basic WebFlux app | cosec-spring-boot-starter + cosec-webflux |
| Servlet/WebMVC app | cosec-spring-boot-starter + cosec-webmvc |
| API Gateway | cosec-spring-boot-starter + cosec-gateway |
| JWT authentication | add cosec-jwt |
| Redis policy caching | add cosec-cocache |
| Social OAuth login | add cosec-social |
| IP geolocation conditions | add cosec-ip2region |
| Authorization tracing | add cosec-opentelemetry |
| OpenAPI/Swagger integration | add cosec-openapi |
cosec:
enabled: true # master switch (default: true)
authentication:
enabled: true # enable authentication
authorization:
enabled: true # enable authorization (default: true)
local-policy:
enabled: true # load policies from local JSON files
locations: classpath:cosec-policy/*-policy.json
init-repository: true # push local policies to repository on startup
jwt:
algorithm: hmac256 # hmac256, hmac384, hmac512, rsa256, etc.
secret: your-256-bit-secret-key # required for HMAC algorithms
| Property | Default | Description |
|---|---|---|
cosec.enabled | true | Master enable/disable switch |
cosec.authentication.enabled | — | Enable/disable authentication |
cosec.authorization.enabled | true | Enable/disable authorization |
cosec.authorization.local-policy.enabled | false | Load policies from local JSON files |
cosec.authorization.local-policy.locations | classpath:cosec-policy/*-policy.json | Resource patterns for policy files |
cosec.authorization.local-policy.init-repository | false | Push local policies to repository on startup |
cosec.jwt.algorithm | — | JWT algorithm (hmac256, rsa256, etc.) |
cosec.jwt.secret | — | JWT secret key (for HMAC algorithms) |
cosec.ip2region.enabled | false | Enable IP geolocation |
cosec.openapi.enabled | false | Enable OpenAPI integration |
Place policy JSON files in src/main/resources/cosec-policy/. Files must match the pattern *-policy.json.
{
"id": "(health-probe)",
"name": "Health Probe",
"type": "global",
"tenantId": "(platform)",
"statements": [
{
"name": "actuator",
"action": [
"/actuator/health",
"/actuator/health/readiness",
"/actuator/health/liveness"
]
}
]
}
{
"id": "api-policy",
"name": "API Policy",
"type": "global",
"tenantId": "(platform)",
"statements": [
{
"name": "PublicEndpoints",
"action": ["/auth/login", "/auth/register"]
},
{
"name": "AuthenticatedApi",
"action": "/api/**",
"condition": { "authenticated": {} }
},
{
"name": "AdminEndpoints",
"action": "/admin/**",
"condition": { "inRole": { "value": "admin" } }
}
]
}
See the cosec-policy-author skill for full policy JSON reference.
No special annotations or configuration classes needed. CoSec auto-configures everything based on classpath and properties.
@SpringBootApplication
class MyApp
fun main(args: Array<String>) {
runApplication<MyApp>(*args)
}
The auto-configuration automatically registers:
ReactiveAuthorizationFilter (WebFlux) or AuthorizationFilter (WebMVC) or AuthorizationGatewayFilter (Gateway)SecurityContextParser for extracting security context from requestsSimpleAuthorization for policy evaluationLocalPolicyLoader / LocalPolicyInitializer for loading local policy filescosec-jwt is on classpath)The cosec-gateway-server module is a complete reference implementation. Key configuration:
# application.yaml
cosec:
authentication:
enabled: false # Gateway relies on token injection from upstream
jwt:
algorithm: hmac256
secret: FyN0Igd80Gas8stTavArGKOYnS9uLWGA_
authorization:
local-policy:
enabled: true
init-repository: true
Gateway-specific dependencies:
implementation(libs.cosec.cocache) // Redis caching
implementation(libs.cosec.gateway) // Gateway filter
implementation(libs.cosec.opentelemetry) // Tracing
implementation(libs.cosec.ip2region) // IP geolocation
implementation("org.springframework.cloud:spring-cloud-starter-gateway-server-webflux")
Use conditional properties to disable specific features:
cosec:
enabled: false # disable everything
authorization:
enabled: false # disable only authorization
jwt:
# not configuring jwt disables JWT auto-config
ip2region:
enabled: false
Each auto-configuration class has a corresponding @ConditionalOn*Enabled annotation that checks these properties.
locations pattern. Enable debug logging: logging.level.me.ahoo.cosec.authorization.SimpleAuthorization=debugcosec.jwt.secret and cosec.jwt.algorithm match what the token issuer usescosec.authorization.local-policy.enabled=true and files are in the correct classpath location"cosec" (configurable via cosec.root system property)