This skill should be used when the user asks to "audit security", "review security config", "check security chains", "validate @PreAuthorize", "audit tenant context", "verify RLS setup", "security review", or "check filter pipeline order". Audits that an existing Spring Security implementation follows the patterns defined in the security skill. For implementing security from scratch, use the security skill instead.
Audits an existing Spring Security implementation against the conventions defined in the security skill. Validates
that security is correctly configured, not implements it from scratch.
Distinction: The security skill defines how to implement security. This skill defines how to verify that the
implementation is correct.
security skill/s2-review --securityGrep: @EnableWebSecurity glob:**/*.javaGrep: TenantAwareDataSource glob:**/*.java. If found, run the conditional RLS audit in the
same referenceVerify @Order correctness, catch-all chain presence, securityMatcher coverage, and CSRF policy.
See Spring Security Config.
Verify correct filter order (ApiKeyAuth -> BearerToken -> PostAuthProvisioning -> TenantContext), chain.doFilter()
always called, and pre-tenant filters use TenantContextRunner.
See Spring Security Config.
Verify converter uses TenantContext.bypass(), clears in finally, returns minimal token on failure, and no internal
claims leak in responses.
See Spring Security Config.
Verify @PreAuthorize on all non-public controllers, never on Use Cases/domain, @EnableMethodSecurity present, and
custom SpEL registered.
See Authorization & Tenant.
Verify filter positioned after PostAuthProvisioning, requireContext() in repos, and clear in finally.
See Authorization & Tenant.
Verify parameterized SQL/logging, no secrets in logs/responses, CORS not using wildcard in production, actuator restricted, sessions stateless for API chains. See General Hygiene.
TenantAwareDataSource present).
See Authorization & Tenant.