- Home
- Skills
- Giuseppe Trisciuoglio
- Developer Kit
- Spring Boot Security Jwt
spring-boot-security-jwt_skill
- Python
99
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill giuseppe-trisciuoglio/developer-kit --skill spring-boot-security-jwt- SKILL.md35.0 KB
Overview
This skill provides production-ready JWT authentication and authorization patterns for Spring Boot 3.5.x using Spring Security 6.x and the JJWT library. It implements token generation, validation, refresh strategies, Bearer and cookie support, database-backed refresh tokens, OAuth2 integration, and RBAC/permission-based checks. Use it to standardize stateless security across APIs, SPAs, microservices, and mobile backends.
How this skill works
The skill supplies a JwtService for token creation and validation, a JwtAuthenticationFilter that extracts tokens from Authorization headers or cookies, and a SecurityFilterChain configured for stateless sessions and method-level security. It includes a refresh token strategy with persistent storage and token rotation, plus example endpoints for /register, /authenticate, /refresh, and /logout. The code demonstrates how to attach authorities to tokens and enforce access rules with @PreAuthorize and role/permission checks.
When to use it
- Building stateless REST APIs or SPA backends with JWT
- Securing microservices or mobile API backends with token-based auth
- Integrating external OAuth2 providers (Google, GitHub) into your auth flow
- Adding refresh token rotation with DB-backed revocation and auditability
- Migrating from session-based to modern token-based security
- Implementing role-based or fine-grained permission access control
Best practices
- Keep JWT secrets out of source control and load from environment or vault
- Use short-lived access tokens and long-lived refresh tokens with rotation and revocation
- Store refresh tokens server-side with expiration and revocation flags
- Enable HTTPS and set cookie Secure and HttpOnly for cookie-based tokens
- Restrict token claims to minimal required data and validate issuer/audience
- Write automated tests for authentication, authorization, and token expiry flows
Example use cases
- REST API that issues access and refresh tokens for single-page applications
- Microservice resource server validating JWTs from an API gateway or identity provider
- Mobile backend issuing access tokens and rotating refresh tokens stored in DB
- Hybrid auth: local username/password plus optional OAuth2 social login
- APIs enforcing permission-based access with @PreAuthorize checks
FAQ
This implementation targets Spring Boot 3.5.x and Spring Security 6.x. You may adapt concepts for newer or older versions, but API and configuration differences may require code changes.
How should I store JWT secrets and client credentials?
Never hardcode secrets. Use environment variables, Kubernetes secrets, or a secrets manager (Vault, AWS Secrets Manager) and restrict access via IAM or RBAC.