$ loading_
提供 Spring Boot 服务认证授权与安全加固最佳实践建议。
复制安装指令,让 AI 自动完成配置 · 推荐新手
请帮我安装 askskill 上的 "springboot-security" 技能: 1. 下载 https://raw.githubusercontent.com/affaan-m/ECC/main/docs/tr/skills/springboot-security/SKILL.md 2. 保存为 ~/.claude/skills/springboot-security/SKILL.md 3. 装好后重载技能,告诉我可以用了
请为一个 Spring Boot REST API 设计安全方案,包含用户登录、JWT 鉴权、角色权限控制、密码存储、接口级授权和登出机制,并给出推荐的 Spring Security 配置方式。
输出一套认证授权设计建议,包括配置要点、实现方式和常见风险提醒。
请审查下面的 Spring Security 配置思路,指出 CSRF、CORS、安全响应头、请求校验、限流和密钥管理方面的潜在问题,并给出改进建议。
输出安全审查清单,说明风险点、影响范围以及可执行的修复建议。
我在维护一个 Java Spring Boot 服务,请给出依赖安全、漏洞扫描、敏感配置保护、生产环境安全头配置和最小权限部署方面的最佳实践清单。
输出覆盖代码、依赖与部署环节的安全加固清单,便于团队落地执行。
Auth ekleme, girişi işleme, endpoint oluşturma veya gizli bilgilerle uğraşırken kullanın.
httpOnly, Secure, SameSite=Strict cookie'leri kullanınOncePerRequestFilter veya resource server ile doğrulayın@Component
public class JwtAuthFilter extends OncePerRequestFilter {
private final JwtService jwtService;
public JwtAuthFilter(JwtService jwtService) {
this.jwtService = jwtService;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain chain) throws ServletException, IOException {
String header = request.getHeader(HttpHeaders.AUTHORIZATION);
if (header != null && header.startsWith("Bearer ")) {
String token = header.substring(7);
Authentication auth = jwtService.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(auth);
}
chain.doFilter(request, response);
}
}
@EnableMethodSecurity@PreAuthorize("hasRole('ADMIN')") veya @PreAuthorize("@authz.canEdit(#id)") kullanın@RestController
@RequestMapping("/api/admin")
public class AdminController {
@PreAuthorize("hasRole('ADMIN')")
@GetMapping("/users")
public List<UserDto> listUsers() {
return userService.findAll();
}
@PreAuthorize("@authz.isOwner(#id, authentication)")
@DeleteMapping("/users/{id}")
public ResponseEntity<Void> deleteUser(@PathVariable Long id) {
userService.delete(id);
return ResponseEntity.noContent().build();
}
}
@Valid ile Bean Validation kullanın@NotBlank, @Email, @Size, custom validator'lar// KÖTÜ: Validation yok
@PostMapping("/users")
public User createUser(@RequestBody UserDto dto) {
return userService.create(dto);
}
// İYİ: Doğrulanmış DTO
public record CreateUserDto(
@NotBlank @Size(max = 100) String name,
@NotBlank @Email String email,
@NotNull @Min(0) @Max(150) Integer age
) {}
@PostMapping("/users")
public ResponseEntity<UserDto> createUser(@Valid @RequestBody CreateUserDto dto) {
return ResponseEntity.status(HttpStatus.CREATED)
.body(userService.create(dto));
}
:param binding'leri kullanın; string'leri asla birleştirmeyin// KÖTÜ: Native sorguda string birleştirme
@Query(value = "SELECT * FROM users WHERE name = '" + name + "'", nativeQuery = true)
// İYİ: Parametreli native sorgu
@Query(value = "SELECT * FROM users WHERE name = :name", nativeQuery = true)
List<User> findByName(@Param("name") String name);
// İYİ: Spring Data türetilmiş sorgu (otomatik parametreli)
List<User> findByEmailAndActiveTrue(String email);
PasswordEncoder bean'i kullanın@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(12); // cost faktörü 12
}
// Servis içinde
public User register(CreateUserDto dto) {
String hashedPassword = passwordEncoder.encode(dto.password());
…
通过双评审智能体对结果进行对抗式校验,提升输出发布前的可靠性
提供 Laravel 安全最佳实践,帮助加固认证授权、输入校验与安全部署。