CtrlK
BlogDocsLog inGet started
Tessl Logo

jbaruch/spring-security-ai

Secure AI agent APIs with Spring Security 7 - RBAC, method security, OAuth2, and per-user agent access control

90

1.24x
Quality

90%

Does it follow best practices?

Impact

92%

1.24x

Average score across 3 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

task.mdevals/scenario-2/

Secure an AI Agent REST API

Problem/Feature Description

Your team is building a Spring AI-powered internal assistant that exposes a REST API. The service has been running with a basic prototype configuration that lacks proper authentication. The backend tech lead has asked you to wire in production-grade security before the service goes to the QA environment.

The application is a Spring Boot project. It exposes the following endpoint groups:

  • /api/public/** — health checks and status pages (no auth required)
  • /api/chat/** — the main AI chat endpoint (authenticated users only)
  • /api/admin/** — management endpoints (administrators only)
  • /api/tools/** (POST only) — tool execution endpoints (agents and admins only)
  • Everything else should be denied

The application is stateless (JWT-based auth, no sessions). CSRF protection is not needed. The security configuration should also enable method-level security so that individual Spring beans can be annotated with authorization rules. All other requests not matching the above patterns should be denied by default.

Provide an in-memory user store for local development with three users: a regular user, an agent-level user, and an admin user — using appropriate password encoding.

Output Specification

Produce a complete, compilable Java source file SecurityConfig.java in the package com.example.agentapi.config that contains the security configuration. Also produce UserStoreConfig.java in the same package with the in-memory user store setup.

Include a brief NOTES.md documenting any important decisions you made about the security configuration.

evals

tile.json