CtrlK
BlogDocsLog inGet started
Tessl Logo

jbaruch/spring-security-ai

Secure AI agent APIs with Spring Security 7 - RBAC, method security, OAuth2, and per-user agent access control

90

1.24x
Quality

90%

Does it follow best practices?

Impact

92%

1.24x

Average score across 3 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-1/

{
  "context": "Tests whether the agent correctly configures JWT OAuth2 resource server with a custom JwtAuthenticationConverter that reads from the 'roles' claim with ROLE_ prefix, properly wires the converter into the filter chain, and avoids the removed OAuth2 password grant.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "issuer-uri in application.yml",
      "description": "`application.yml` contains `spring.security.oauth2.resourceserver.jwt.issuer-uri` property",
      "max_score": 10
    },
    {
      "name": "JwtAuthenticationConverter bean",
      "description": "A `@Bean` method returning `JwtAuthenticationConverter` is defined in the security configuration",
      "max_score": 10
    },
    {
      "name": "roles claim name set",
      "description": "`JwtGrantedAuthoritiesConverter.setAuthoritiesClaimName(\"roles\")` is called on the converter",
      "max_score": 12
    },
    {
      "name": "ROLE_ authority prefix set",
      "description": "`JwtGrantedAuthoritiesConverter.setAuthorityPrefix(\"ROLE_\")` is called on the converter",
      "max_score": 12
    },
    {
      "name": "Converter wired into filter chain",
      "description": "The `SecurityFilterChain` references the custom `JwtAuthenticationConverter` bean via `.oauth2ResourceServer(oauth2 -> oauth2.jwt(jwt -> jwt.jwtAuthenticationConverter(...)))`",
      "max_score": 12
    },
    {
      "name": "Lambda DSL for oauth2ResourceServer",
      "description": "OAuth2 resource server configuration uses lambda DSL — does NOT use deprecated `.and()` chaining",
      "max_score": 8
    },
    {
      "name": "No password grant",
      "description": "The configuration does NOT use or reference the OAuth2 password grant (e.g. no `ResourceOwnerPasswordTokenGranter`, no password grant type configuration)",
      "max_score": 10
    },
    {
      "name": "Password grant identified as removed",
      "description": "`MIGRATION_NOTES.md` states that the password grant is removed/unavailable in Spring Security 7 and identifies authorization code + PKCE or client credentials as the alternative",
      "max_score": 10
    },
    {
      "name": "oauth2-resource-server dependency",
      "description": "The `spring-boot-starter-oauth2-resource-server` dependency is referenced (in pom.xml, build.gradle, or documentation)",
      "max_score": 8
    },
    {
      "name": "authorizeHttpRequests used",
      "description": "Filter chain uses `authorizeHttpRequests()` — does NOT use removed `authorizeRequests()`",
      "max_score": 8
    }
  ]
}

evals

scenario-1

criteria.json

task.md

tile.json