spring-boot-security-jwt_skill

This skill implements production-ready JWT authentication and authorization for Spring Boot 3.5.x, enabling stateless security and RBAC with Spring Security.
  • Python

99

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill giuseppe-trisciuoglio/developer-kit --skill spring-boot-security-jwt

  • SKILL.md35.0 KB

Overview

This skill provides production-ready JWT authentication and authorization patterns for Spring Boot 3.5.x using Spring Security 6.x and the JJWT library. It implements token generation, validation, refresh strategies, Bearer and cookie support, database-backed refresh tokens, OAuth2 integration, and RBAC/permission-based checks. Use it to standardize stateless security across APIs, SPAs, microservices, and mobile backends.

How this skill works

The skill supplies a JwtService for token creation and validation, a JwtAuthenticationFilter that extracts tokens from Authorization headers or cookies, and a SecurityFilterChain configured for stateless sessions and method-level security. It includes a refresh token strategy with persistent storage and token rotation, plus example endpoints for /register, /authenticate, /refresh, and /logout. The code demonstrates how to attach authorities to tokens and enforce access rules with @PreAuthorize and role/permission checks.

When to use it

  • Building stateless REST APIs or SPA backends with JWT
  • Securing microservices or mobile API backends with token-based auth
  • Integrating external OAuth2 providers (Google, GitHub) into your auth flow
  • Adding refresh token rotation with DB-backed revocation and auditability
  • Migrating from session-based to modern token-based security
  • Implementing role-based or fine-grained permission access control

Best practices

  • Keep JWT secrets out of source control and load from environment or vault
  • Use short-lived access tokens and long-lived refresh tokens with rotation and revocation
  • Store refresh tokens server-side with expiration and revocation flags
  • Enable HTTPS and set cookie Secure and HttpOnly for cookie-based tokens
  • Restrict token claims to minimal required data and validate issuer/audience
  • Write automated tests for authentication, authorization, and token expiry flows

Example use cases

  • REST API that issues access and refresh tokens for single-page applications
  • Microservice resource server validating JWTs from an API gateway or identity provider
  • Mobile backend issuing access tokens and rotating refresh tokens stored in DB
  • Hybrid auth: local username/password plus optional OAuth2 social login
  • APIs enforcing permission-based access with @PreAuthorize checks

FAQ

This implementation targets Spring Boot 3.5.x and Spring Security 6.x. You may adapt concepts for newer or older versions, but API and configuration differences may require code changes.

How should I store JWT secrets and client credentials?

Never hardcode secrets. Use environment variables, Kubernetes secrets, or a secrets manager (Vault, AWS Secrets Manager) and restrict access via IAM or RBAC.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
spring-boot-security-jwt skill by giuseppe-trisciuoglio/developer-kit | VeilStrat