springboot-security

为 Spring Boot 服务提供认证鉴权、CSRF、防护头与依赖安全最佳实践

星标

★ 209,790

来源

GitHub

更新于

2026-06-07

// 安全评估低风险

仅提示词，不执行代码
开源可审计
社区验证· 209.8k

正在进行安全审计…

凭证密钥
网络外发
代码执行
数据访问
来源供应链

// 安装

复制安装指令，让 AI 自动完成配置 · 推荐新手

请帮我安装 askskill 上的 "springboot-security" 技能：
1. 下载 https://raw.githubusercontent.com/affaan-m/ECC/main/skills/springboot-security/SKILL.md
2. 保存为 ~/.claude/skills/springboot-security/SKILL.md
3. 装好后重载技能，告诉我可以用了

// 下载

下载 SKILL.md机读安装清单 ↗

// 用法示例

设计认证与授权方案

输入

请为一个 Spring Boot REST API 设计 Spring Security 方案，包含 JWT 认证、基于角色的授权、密码存储、登录失败限制，并给出推荐配置与代码示例。

预期产出

一套安全配置建议，包含过滤器链、认证授权策略、密码加密方式与示例代码。

检查接口安全漏洞

输入

请审查下面的 Spring Boot 安全配置，找出认证、CSRF、请求校验、安全响应头、密钥管理和依赖版本方面的风险，并按严重程度给出修复建议。

预期产出

一份按风险等级排序的问题清单，以及对应的修复步骤和最佳实践说明。

加固生产环境服务

输入

我准备上线一个 Spring Boot 服务，请给我一份安全加固清单，覆盖速率限制、CORS、HTTP 安全头、输入校验、Secrets 管理、依赖扫描和日志审计。

预期产出

一份可执行的上线安全清单，帮助在生产环境中系统性加固 Spring Boot 服务。

// 文档

Spring Boot Security Review

Use when adding auth, handling input, creating endpoints, or dealing with secrets.

When to Activate

Adding authentication (JWT, OAuth2, session-based)
Implementing authorization (@PreAuthorize, role-based access)
Validating user input (Bean Validation, custom validators)
Configuring CORS, CSRF, or security headers
Managing secrets (Vault, environment variables)
Adding rate limiting or brute-force protection
Scanning dependencies for CVEs

Authentication

Prefer stateless JWT or opaque tokens with revocation list
Use httpOnly, Secure, SameSite=Strict cookies for sessions
Validate tokens with OncePerRequestFilter or resource server

@Component
public class JwtAuthFilter extends OncePerRequestFilter {
  private final JwtService jwtService;

  public JwtAuthFilter(JwtService jwtService) {
    this.jwtService = jwtService;
  }

  @Override
  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
      FilterChain chain) throws ServletException, IOException {
    String header = request.getHeader(HttpHeaders.AUTHORIZATION);
    if (header != null && header.startsWith("Bearer ")) {
      String token = header.substring(7);
      Authentication auth = jwtService.authenticate(token);
      SecurityContextHolder.getContext().setAuthentication(auth);
    }
    chain.doFilter(request, response);
  }
}

Authorization

Enable method security: @EnableMethodSecurity
Use @PreAuthorize("hasRole('ADMIN')") or @PreAuthorize("@authz.canEdit(#id)")
Deny by default; expose only required scopes

@RestController
@RequestMapping("/api/admin")
public class AdminController {

  @PreAuthorize("hasRole('ADMIN')")
  @GetMapping("/users")
  public List<UserDto> listUsers() {
    return userService.findAll();
  }

  @PreAuthorize("@authz.isOwner(#id, authentication)")
  @DeleteMapping("/users/{id}")
  public ResponseEntity<Void> deleteUser(@PathVariable Long id) {
    userService.delete(id);
    return ResponseEntity.noContent().build();
  }
}

Input Validation

Use Bean Validation with @Valid on controllers
Apply constraints on DTOs: @NotBlank, @Email, @Size, custom validators
Sanitize any HTML with a whitelist before rendering

// BAD: No validation
@PostMapping("/users")
public User createUser(@RequestBody UserDto dto) {
  return userService.create(dto);
}

// GOOD: Validated DTO
public record CreateUserDto(
    @NotBlank @Size(max = 100) String name,
    @NotBlank @Email String email,
    @NotNull @Min(0) @Max(150) Integer age
) {}

@PostMapping("/users")
public ResponseEntity<UserDto> createUser(@Valid @RequestBody CreateUserDto dto) {
  return ResponseEntity.status(HttpStatus.CREATED)
      .body(userService.create(dto));
}

SQL Injection Prevention

Use Spring Data repositories or parameterized queries
For native queries, use :param bindings; never concatenate strings

// BAD: String concatenation in native query
@Query(value = "SELECT * FROM users WHERE name = '" + name + "'", nativeQuery = true)

// GOOD: Parameterized native query
@Query(value = "SELECT * FROM users WHERE name = :name", nativeQuery = true)
List<User> findByName(@Param("name") String name);

// GOOD: Spring Data derived query (auto-parameterized)
List<User> findByEmailAndActiveTrue(String email);

Password Encoding

Always hash passwords with BCrypt or Argon2 — never store plaintext
Use PasswordEncoder bean, not manual hashing

@Bean
public PasswordEncoder passwordEncoder() {
  return new BCryptPasswordEncoder(12); // cost factor 12
}

// In service
public User register(CreateUserDto dto) {
  String hashedPassword = passwordEncoder.encode(dto.password());
  return userRepository.save(new User(dto.email(), hashedPassword));
}