security
Guide Claude on securing Vaadin 25 applications with Spring Security. This skill should be used when the user asks to "add security", "add login", "create a login view", "create a login form", "use Spring Security", "secure a view", "add authentication", "add authorization", "use @RolesAllowed", "use @PermitAll", "use @AnonymousAllowed", "use @DenyAll", "use VaadinSecurityConfigurer", "add OAuth2", "use OAuth2 login", "use Google login", "use Keycloak", "use GitHub login", "add logout", "add a logout button", "use AuthenticationContext", "protect a view", "role-based access", "configure SecurityFilterChain", or needs help with view access control, login forms, OAuth2 providers, or logout handling in Vaadin Flow.
64
77%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/security/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description excels at trigger term coverage and completeness, providing an exhaustive list of when-to-use scenarios that would make skill selection very reliable. Its main weakness is that the 'what' portion is somewhat vague—it says 'Guide Claude on securing' rather than listing specific concrete actions the skill enables. The description could also benefit from restructuring to lead with concrete capabilities before the trigger list.
Suggestions
Replace the vague opening 'Guide Claude on securing Vaadin 25 applications with Spring Security' with specific concrete actions, e.g., 'Configures Spring Security for Vaadin 25 apps: creates login views, sets up OAuth2 providers (Google, GitHub, Keycloak), implements role-based access control with @RolesAllowed/@PermitAll, and adds logout handling.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (Vaadin 25 + Spring Security) and implies actions like adding login, authentication, authorization, OAuth2, and logout, but the 'what' is stated as a vague 'Guide Claude on securing Vaadin 25 applications' rather than listing concrete actions like 'configure SecurityFilterChain, create login views, set up OAuth2 providers, implement role-based access control'. | 2 / 3 |
Completeness | The description clearly answers both 'what' (securing Vaadin 25 applications with Spring Security) and 'when' with an extensive explicit 'Use when' clause listing numerous trigger phrases and scenarios. The 'when' guidance is exceptionally thorough. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms including 'add security', 'add login', 'create a login view', 'use Spring Security', '@RolesAllowed', '@PermitAll', 'OAuth2', 'Google login', 'Keycloak', 'GitHub login', 'add logout', 'role-based access', and many more. These are terms users would naturally say when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive due to the specific combination of Vaadin 25 + Spring Security, along with Vaadin-specific terms like 'VaadinSecurityConfigurer', '@AnonymousAllowed', 'Vaadin Flow', and 'AuthenticationContext'. This is unlikely to conflict with generic Spring Security or generic Vaadin skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, highly actionable skill with complete executable code examples covering the full spectrum of Vaadin 25 security topics. Its main weaknesses are moderate verbosity (particularly in Best Practices/Anti-Patterns sections) and the lack of an explicit step-by-step workflow with validation checkpoints. The content would benefit from being slightly more condensed and having a clearer sequential setup guide with verification steps.
Suggestions
Add a brief numbered 'Getting Started' workflow at the top (1. Add dependency → 2. Create SecurityConfig → 3. Create LoginView → 4. Annotate views → 5. Verify by accessing a protected view while unauthenticated) with explicit validation checkpoints.
Consider moving the Best Practices and Anti-Patterns sections into the referenced `references/security-patterns.md` file to reduce the main skill's length and improve progressive disclosure.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is generally well-written but includes some unnecessary explanations (e.g., explaining what LoginForm provides, what VaadinSecurityConfigurer handles in bullet list form, and the lengthy Best Practices/Anti-Patterns sections that could be more condensed). The note on @PermitAll semantics is valuable but slightly verbose. Overall mostly efficient with some room to tighten. | 2 / 3 |
Actionability | Excellent actionability throughout — every section includes fully executable, copy-paste-ready code examples including Maven dependencies, complete Java classes, application.properties configurations, and specific method calls. The code is complete and realistic, not pseudocode. | 3 / 3 |
Workflow Clarity | The skill covers multiple interconnected steps (add dependency → create SecurityConfig → create LoginView → annotate views → add logout) but doesn't present them as a clear numbered workflow with validation checkpoints. There's no explicit 'verify your setup works' step or feedback loop for debugging common issues like misconfigured annotations or OAuth2 redirect failures. | 2 / 3 |
Progressive Disclosure | The skill references `references/security-patterns.md` at the end for detailed cheatsheets, which is good progressive disclosure. However, the main file is quite long (~250+ lines) and some content like the full OAuth2 provider configurations and the extensive Best Practices/Anti-Patterns sections could be split into reference files. The bundle file is not provided, so we can't verify the reference exists, but the structure is reasonable with room for improvement. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- vaadin/claude-plugin
- Commit
e47fdfe
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.