CtrlK
BlogDocsLog inGet started
Tessl Logo

jbaruch/spring-security-ai

Secure AI agent APIs with Spring Security 7 - RBAC, method security, OAuth2, and per-user agent access control

90

1.24x
Quality

90%

Does it follow best practices?

Impact

92%

1.24x

Average score across 3 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-2/

{
  "context": "Tests whether the agent correctly configures a Spring Security 7 SecurityFilterChain using the new lambda DSL, avoids deprecated Spring Security 6.x APIs, sets up stateless session management, and enables method security. Also checks in-memory user store setup with correct password encoding.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Lambda DSL only",
      "description": "Uses lambda DSL for all HttpSecurity configuration (e.g. `.authorizeHttpRequests(auth -> auth...)`) — does NOT use deprecated `.and()` method chaining",
      "max_score": 12
    },
    {
      "name": "authorizeHttpRequests used",
      "description": "Uses `authorizeHttpRequests()` — does NOT use the removed `authorizeRequests()`",
      "max_score": 10
    },
    {
      "name": "No legacy matchers",
      "description": "Does NOT import or use `MvcRequestMatcher` or `AntPathRequestMatcher` — uses `requestMatchers()` which auto-selects `PathPatternRequestMatcher`",
      "max_score": 8
    },
    {
      "name": "CSRF disabled",
      "description": "Disables CSRF via `.csrf(csrf -> csrf.disable())` or equivalent lambda form",
      "max_score": 8
    },
    {
      "name": "Stateless session",
      "description": "Sets session creation policy to `STATELESS` via `sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))`",
      "max_score": 8
    },
    {
      "name": "@EnableMethodSecurity present",
      "description": "Security configuration class is annotated with `@EnableMethodSecurity`",
      "max_score": 10
    },
    {
      "name": "@EnableWebSecurity present",
      "description": "Security configuration class is annotated with `@EnableWebSecurity`",
      "max_score": 6
    },
    {
      "name": "Correct endpoint rules",
      "description": "Rules include: `/api/public/**` permitted, `/api/chat/**` authenticated, `/api/admin/**` restricted to ADMIN role, POST `/api/tools/**` restricted to AGENT or ADMIN, and any remaining requests denied",
      "max_score": 12
    },
    {
      "name": "DelegatingPasswordEncoder",
      "description": "Uses `PasswordEncoderFactories.createDelegatingPasswordEncoder()` for the `PasswordEncoder` bean",
      "max_score": 8
    },
    {
      "name": "InMemoryUserDetailsManager",
      "description": "User store uses `InMemoryUserDetailsManager` with at least three users having distinct roles (user, agent, admin)",
      "max_score": 10
    },
    {
      "name": "OAuth2 resource server",
      "description": "Configures `.oauth2ResourceServer(oauth2 -> oauth2.jwt(...))` in the filter chain",
      "max_score": 8
    }
  ]
}

evals

scenario-2

criteria.json

task.md

tile.json