Spring Certified Professional — Theory-First Curriculum
Profile: React / full-stack developer with existing project experience Goal: Reinforce Spring theory and prepare for the Spring Certified Professional exam Style: Certification-first, theory-heavy, step-by-step, with small focused exercises Recommended duration: 10–12 weeks Daily time: 1.5–2.5 hours Main rule: Do not build another huge project. Use small code experiments only to prove the theory.
0. Certification Target
Target certification:
- Spring Certified Professional 2024
- Exam: Spring Professional Develop 2V0-72.22
Core exam areas to master:
- Spring Core
- Dependency Injection
- Bean lifecycle
- Configuration
- Spring Boot
- Auto-configuration
- Spring MVC and REST
- Validation and error handling
- Data access
- Transactions
- AOP and proxies
- Spring Security
- Testing
- Actuator and production readiness
1. How to Use This Curriculum
This curriculum is not a normal "learn Spring Boot" course.
You already built projects. So the goal is:
- understand why Spring works
- know what happens internally
- prepare for exam-style questions
- explain Spring concepts clearly in interviews
- remove weak theory gaps
For every topic, follow this format:
## Topic Name
### 1. What is it?
Explain the idea in simple language.
### 2. Why does it exist?
Explain the problem it solves.
### 3. How does Spring implement it?
Mention annotations, classes, container behavior, proxies, or auto-configuration.
### 4. Common exam traps
List tricky points.
### 5. Tiny code proof
Write the smallest possible code to prove the concept.
### 6. Interview answer
Explain the concept in 5–8 sentences.
2. Weekly Structure
Each week has five study days plus review.
| Day | Activity |
|---|---|
| Monday | Read theory and write notes |
| Tuesday | Compare annotations and concepts |
| Wednesday | Do tiny code experiments |
| Thursday | Answer practice questions |
| Friday | Explain concepts out loud |
| Saturday | Review mistakes and update cheat sheet |
| Sunday | Rest or light flashcards |
3. Daily Study Template
Use this every day.
# Daily Spring Study Log
Date:
## Topic
## What I learned
## Key annotations
## What Spring does internally
## Common traps
## 5 exam questions I can now answer
1.
2.
3.
4.
5.
## One small code proof
## My weak point today
## My final explanation in simple words
Recommended daily flow:
| Time | Task |
|---|---|
| 20 min | Read official theory |
| 25 min | Write your own explanation |
| 25 min | Compare similar concepts |
| 25 min | Small code experiment |
| 20 min | Practice questions |
| 15 min | Flashcards |
10-Week Certification Plan
Week 1 — Spring Core Mental Model
Goal
Understand Spring as a container that creates, connects, configures, and manages objects.
Main questions
By the end of this week, you must answer:
- What is Spring Framework?
- What is the IoC container?
- What is Dependency Injection?
- What is a bean?
- What is
ApplicationContext? - What is the difference between Spring and Spring Boot?
- Why does Spring create objects instead of us using
neweverywhere?
Day 1 — What Problem Does Spring Solve?
Learn
Before Spring, applications often had many classes creating each other manually.
Example:
UserRepository repository = new UserRepository();
EmailService emailService = new EmailService();
UserService userService = new UserService(repository, emailService);
This creates problems:
- hard to test
- hard to replace dependencies
- hard to configure
- hard to manage object lifecycle
- hard to reuse infrastructure
Spring solves this with the IoC container.
Key idea
IoC means:
Instead of your code controlling object creation, the Spring container controls object creation.
React comparison
In React, you often think in components:
<App>
<UserPage />
</App>
React controls rendering and lifecycle.
In Spring:
@Service
public class UserService {}
Spring controls object creation and lifecycle.
Tiny code proof
Create one service manually and one service with Spring.
Manual:
TaskRepository repository = new InMemoryTaskRepository();
TaskService service = new TaskService(repository);
Spring:
@Service
public class TaskService {
private final TaskRepository repository;
public TaskService(TaskRepository repository) {
this.repository = repository;
}
}
Exam traps
- IoC and DI are related but not identical.
- IoC is the principle.
- DI is one implementation of IoC.
- Spring does not magically know all classes. It discovers beans through configuration and component scanning.
Day 2 — ApplicationContext and BeanFactory
Learn
ApplicationContext is the main Spring container used in modern applications.
It can:
- create beans
- wire dependencies
- manage bean lifecycle
- publish events
- resolve messages
- read environment properties
- support profiles
BeanFactory is a more basic container. ApplicationContext extends it and adds enterprise features.
Must know
| Concept | Meaning |
|---|---|
| BeanFactory | Basic bean container |
| ApplicationContext | Full-featured Spring container |
| Bean | Object managed by Spring |
| BeanDefinition | Metadata describing how to create a bean |
Exam traps
- A Spring bean is not just any Java object.
- A bean is an object managed by the Spring container.
ApplicationContexteagerly creates singleton beans by default.- Lazy initialization can change this behavior.
Small exercise
Write notes answering:
What happens when a Spring Boot application starts?
Expected answer:
- SpringApplication starts.
- ApplicationContext is created.
- Configuration classes are processed.
- Component scanning runs.
- Bean definitions are registered.
- Singleton beans are created.
- Dependencies are injected.
- Lifecycle callbacks run.
- Embedded web server starts if it is a web app.
Day 3 — Beans and Bean Definitions
Learn
A bean has:
- name
- type
- scope
- dependencies
- lifecycle callbacks
- initialization behavior
Bean registration can happen through:
@Component
@Service
@Repository
@Controller
@Configuration
@Bean
Compare
| Annotation | Purpose |
|---|---|
@Component | Generic Spring-managed component |
@Service | Service layer specialization |
@Repository | Persistence layer specialization |
@Controller | MVC controller |
@RestController | REST controller = @Controller + @ResponseBody |
@Configuration | Defines configuration class |
@Bean | Creates a bean manually from a method |
Exam trap
@Service and @Repository are specializations of @Component.
But @Repository also supports persistence exception translation.
Small exercise
Answer:
When should I use @Component and when should I use @Bean?
Expected answer:
- Use
@Component/@Servicewhen the class is yours and can be annotated. - Use
@Beanwhen creating third-party classes, library objects, or when construction needs custom logic.
Day 4 — Dependency Injection
Learn
Dependency Injection means an object receives its dependencies from outside instead of creating them itself.
Types:
- Constructor injection
- Setter injection
- Field injection
Best practice:
@Service
public class TaskService {
private final TaskRepository repository;
public TaskService(TaskRepository repository) {
this.repository = repository;
}
}
Avoid:
@Autowired
private TaskRepository repository;
Why constructor injection is best
- makes dependencies explicit
- supports immutability
- easier to test
- avoids null dependencies
- works well with required dependencies
Exam traps
@Autowiredon a single constructor is optional in modern Spring.- Field injection works but is discouraged.
- If multiple beans match one dependency, Spring fails unless you use
@Primary,@Qualifier, or a more specific type.
Tiny code proof
Create two implementations:
public interface NotificationSender {
void send(String message);
}
@Component
public class EmailNotificationSender implements NotificationSender {}
@Component
public class SmsNotificationSender implements NotificationSender {}
Then fix ambiguity with:
@Qualifier("emailNotificationSender")
Day 5 — Component Scanning
Learn
Spring finds annotated classes through component scanning.
@SpringBootApplication includes @ComponentScan.
By default, it scans the package of the main application class and subpackages.
Example
@SpringBootApplication
public class MyApplication {}
If this class is in:
com.example.app
Spring scans:
com.example.app.*
But not:
com.other.*
Exam traps
- Package structure matters.
- A class with
@Servicewill not become a bean if it is outside the scanned package. - You can customize scanning with
@ComponentScan.
Small exercise
Write:
Why should the main Spring Boot class be placed in the root package?
Week 1 Review Checklist
You are ready to continue if you can explain:
- IoC
- DI
- Bean
- ApplicationContext
- Component scanning
@Componentvs@Bean@Servicevs@Repository- constructor injection
@Primary@Qualifier
Week 2 — Configuration, Profiles, Properties, Bean Lifecycle
Goal
Understand how Spring configures applications and manages bean creation from start to shutdown.
Day 1 — Java Configuration
Learn
Modern Spring prefers Java configuration over XML.
Example:
@Configuration
public class AppConfig {
@Bean
public Clock clock() {
return Clock.systemUTC();
}
}
Important
@Configuration classes are proxied by Spring.
That means if one @Bean method calls another @Bean method, Spring can return the managed singleton bean instead of creating a new object manually.
Exam traps
@Configurationis stronger than plain@Component.@Beanmethods in@Configurationclasses are proxied by CGLIB.@Beanmethod names become bean names by default.
Day 2 — External Configuration
Learn
Spring Boot reads configuration from many places:
application.propertiesapplication.yml- environment variables
- command-line arguments
- profile-specific files
- config server, if used
Example:
app:
name: task-api
max-tasks-per-user: 50
Using @Value:
@Value("${app.name}")
private String appName;
Using @ConfigurationProperties:
@ConfigurationProperties(prefix = "app")
public class AppProperties {
private String name;
private int maxTasksPerUser;
}
Prefer
Use @ConfigurationProperties for grouped config.
Use @Value for simple one-off values.
Exam traps
@ConfigurationPropertiesis type-safe.- It needs to be enabled through component scanning,
@EnableConfigurationProperties, or configuration properties scanning. - Environment variables can override property files.
Day 3 — Profiles
Learn
Profiles allow different beans or config for different environments.
Example:
spring:
profiles:
active: dev
Profile-specific files:
application-dev.yml
application-test.yml
application-prod.yml
Profile-specific bean:
@Profile("dev")
@Bean
public DataSource devDataSource() {}
Common profile use cases
| Profile | Purpose |
|---|---|
| dev | local development |
| test | automated tests |
| prod | production |
| docker | container environment |
Exam traps
- Profiles can activate beans.
- Profiles can activate property files.
- Multiple profiles can be active.
@Profile("!prod")means active when prod is not active.
Day 4 — Bean Scopes
Learn
Common scopes:
| Scope | Meaning |
|---|---|
| singleton | one bean per Spring container |
| prototype | new instance each time requested |
| request | one bean per HTTP request |
| session | one bean per HTTP session |
| application | one bean per ServletContext |
| websocket | one bean per WebSocket session |
Default scope:
singleton
Important
Singleton in Spring means:
one instance per Spring container
It does not mean Java singleton pattern.
Exam trap
Injecting a prototype bean into a singleton bean does not automatically create a new prototype instance each time you use it.
To solve this, use:
ObjectProvider<T>Provider<T>- lookup method injection
- scoped proxy
Day 5 — Bean Lifecycle
Learn
Bean lifecycle simplified:
- Instantiate bean
- Populate dependencies
- Aware callbacks
- BeanPostProcessor before initialization
- Initialization callbacks
- BeanPostProcessor after initialization
- Bean is ready
- Destruction callbacks on shutdown
Common callbacks:
@PostConstruct
public void init() {}
@PreDestroy
public void cleanup() {}
Other options:
InitializingBean
DisposableBean
@Bean(initMethod = "init", destroyMethod = "cleanup")
Exam traps
BeanPostProcessorcan modify beans before and after initialization.- AOP proxies are often created through post-processors.
@PostConstructruns after dependency injection.@PreDestroydoes not usually run for prototype beans automatically.
Week 2 Review Checklist
You must know:
@Configuration@Bean@Value@ConfigurationProperties- profiles
- property overriding
- singleton scope
- prototype scope
- request/session scope
- bean lifecycle
BeanPostProcessor@PostConstruct@PreDestroy
Week 3 — Spring Boot and Auto-Configuration
Goal
Understand what Spring Boot adds on top of Spring Framework.
Day 1 — Spring Boot Mental Model
Learn
Spring Boot helps you create production-ready Spring applications quickly.
It provides:
- starter dependencies
- auto-configuration
- embedded web server
- externalized configuration
- Actuator
- opinionated defaults
Key annotation
@SpringBootApplication
It combines:
@Configuration
@EnableAutoConfiguration
@ComponentScan
Exam trap
Many people know @SpringBootApplication, but not what it contains.
Day 2 — Starters
Learn
Starters are dependency bundles.
Examples:
spring-boot-starter-web
spring-boot-starter-data-jpa
spring-boot-starter-security
spring-boot-starter-test
spring-boot-starter-actuator
Why they exist
Without starters, you would manually choose compatible versions for many libraries.
With starters, Spring Boot manages compatible dependencies.
Exam traps
- A starter is not magic code.
- It is mostly dependency management.
- Starters work together with auto-configuration.
Day 3 — Auto-Configuration
Learn
Auto-configuration means Spring Boot configures beans automatically based on:
- classes on the classpath
- existing beans
- property values
- environment
- web application type
Example:
If spring-boot-starter-web is on the classpath, Boot configures:
- DispatcherServlet
- embedded Tomcat
- JSON converter
- error handling
- MVC infrastructure
Common conditional annotations
@ConditionalOnClass
@ConditionalOnMissingBean
@ConditionalOnBean
@ConditionalOnProperty
@ConditionalOnWebApplication
Exam traps
- Auto-configuration backs off when you define your own bean.
@ConditionalOnMissingBeanis important.- Auto-configuration does not mean you cannot customize behavior.
Day 4 — SpringApplication and Runners
Learn
Application startup:
SpringApplication.run(App.class, args);
You can run code after startup:
@Bean
CommandLineRunner runner() {
return args -> {
System.out.println("Application started");
};
}
Also:
ApplicationRunner
Difference
| Interface | Argument type |
|---|---|
| CommandLineRunner | raw String array |
| ApplicationRunner | parsed ApplicationArguments |
Day 5 — Boot Configuration Debugging
Learn
You need to know how to inspect auto-configuration.
Useful tools:
debug=true
Actuator endpoint:
/actuator/conditions
Startup logs can show which auto-configurations matched or did not match.
Small exercise
Turn on debug mode and answer:
Which auto-configurations are active in my app?
Which ones did not match?
Why?
Week 3 Review Checklist
You must know:
- Spring vs Spring Boot
@SpringBootApplication- starters
- auto-configuration
- conditional annotations
- embedded server
- overriding auto-configured beans
CommandLineRunnerApplicationRunner
Week 4 — Spring MVC and REST
Goal
Understand how Spring receives HTTP requests and returns HTTP responses.
Day 1 — DispatcherServlet
Learn
DispatcherServlet is the front controller in Spring MVC.
Request flow:
- Client sends HTTP request.
- DispatcherServlet receives it.
- HandlerMapping finds the controller method.
- Argument resolvers prepare method arguments.
- Controller method runs.
- Return value handlers process response.
- Message converters serialize response to JSON.
- HTTP response is sent.
Exam traps
- DispatcherServlet is central to Spring MVC.
- Controllers do not directly listen on sockets.
- JSON conversion is handled by HTTP message converters.
Day 2 — Controllers and Request Mapping
Learn
Common annotations:
@RestController
@RequestMapping("/api/tasks")
@GetMapping
@PostMapping
@PutMapping
@PatchMapping
@DeleteMapping
@PathVariable
@RequestParam
@RequestBody
Example:
@GetMapping("/{id}")
public TaskResponse getTask(@PathVariable Long id) {
return taskService.findById(id);
}
Exam traps
@RestController=@Controller+@ResponseBody.@RequestBodyreads JSON body.@PathVariablereads URL path.@RequestParamreads query parameters.
Day 3 — DTOs and Message Conversion
Learn
DTO means Data Transfer Object.
Use DTOs for API input/output.
Do not expose JPA entities directly.
Why?
- avoids lazy loading problems
- protects internal data model
- controls API shape
- prevents accidental updates
- improves validation
Example
public record CreateTaskRequest(
String title,
Long clientId
) {}
public record TaskResponse(
Long id,
String title,
String status
) {}
Exam traps
- Jackson usually handles JSON serialization/deserialization.
- Spring uses
HttpMessageConverter. - Records work well as DTOs.
Day 4 — Validation
Learn
Validation uses Jakarta Bean Validation.
Common annotations:
@NotNull
@NotBlank
@Size
@Email
@Min
@Max
@Pattern
@Valid
Example:
public record CreateTaskRequest(
@NotBlank String title,
@NotNull Long clientId
) {}
Controller:
@PostMapping
public ResponseEntity<TaskResponse> create(@Valid @RequestBody CreateTaskRequest request) {}
Exam traps
@Validtriggers validation.- Validation errors can be handled globally.
- Method parameter validation may require additional setup depending on use case.
Day 5 — Exception Handling
Learn
Use @ControllerAdvice for global exception handling.
@RestControllerAdvice
public class GlobalExceptionHandler {
@ExceptionHandler(TaskNotFoundException.class)
public ResponseEntity<ApiError> handle(TaskNotFoundException ex) {
return ResponseEntity.status(HttpStatus.NOT_FOUND)
.body(new ApiError("TASK_NOT_FOUND", ex.getMessage()));
}
}
Exam traps
@ExceptionHandlercan be local or global.@ControllerAdviceapplies across controllers.ResponseEntitygives control over status, headers, and body.
Week 4 Review Checklist
You must know:
- DispatcherServlet
- HandlerMapping
@RestController- request mapping annotations
@RequestBody@PathVariable@RequestParam- DTOs
- Jackson
- validation
- exception handling
ResponseEntity
Week 5 — Data Access
Goal
Understand Spring JDBC, JPA, Spring Data, repositories, and exception translation.
Day 1 — JDBC and JdbcTemplate
Learn
JDBC is the low-level Java API for database access.
Spring provides JdbcTemplate to reduce boilerplate.
Without Spring JDBC:
- open connection
- create statement
- execute query
- map result
- handle exceptions
- close resources
With JdbcTemplate:
List<Client> clients = jdbcTemplate.query(
"select id, name from clients",
(rs, rowNum) -> new Client(rs.getLong("id"), rs.getString("name"))
);
Exam traps
JdbcTemplatehandles resource management.- It translates SQL exceptions into Spring
DataAccessException. - Spring data access exceptions are unchecked.
Day 2 — JPA and Hibernate
Learn
JPA is a specification. Hibernate is an implementation.
JPA lets you map Java objects to database tables.
Example:
@Entity
public class Task {
@Id
@GeneratedValue
private Long id;
private String title;
}
Must know
| Concept | Meaning |
|---|---|
| Entity | Persistent domain object |
| EntityManager | JPA API for persistence operations |
| Persistence context | First-level cache / managed entity context |
| Hibernate | JPA provider |
| Dirty checking | Hibernate detects changed managed entities |
Exam traps
- JPA is not Hibernate.
- Hibernate implements JPA.
- Managed entities are tracked.
- Detached entities are not automatically tracked.
Day 3 — Spring Data JPA
Learn
Spring Data JPA reduces repository boilerplate.
public interface TaskRepository extends JpaRepository<Task, Long> {
List<Task> findByStatus(TaskStatus status);
}
Spring creates the implementation at runtime.
Query options
- Derived query methods
@Query- Specifications
- Query by Example
- Custom repository implementation
Exam traps
JpaRepositoryextendsPagingAndSortingRepositoryandCrudRepositoryconcepts.- Repository implementations are generated by Spring Data.
- Method names are parsed into queries.
Day 4 — Relationships and Fetching
Learn
Common relationships:
@OneToMany
@ManyToOne
@OneToOne
@ManyToMany
Example:
@ManyToOne(fetch = FetchType.LAZY)
private Client client;
Lazy vs eager
| Fetch type | Meaning |
|---|---|
| LAZY | load when needed |
| EAGER | load immediately |
Exam traps
- Lazy loading needs an open persistence context.
- Lazy loading can cause N+1 query problems.
- EAGER is not always better.
- DTO queries can avoid unnecessary entity loading.
Day 5 — Exception Translation
Learn
@Repository enables persistence exception translation.
Database-specific exceptions become Spring's consistent exception hierarchy.
Example:
SQLException -> DataAccessException
Why useful?
Your service layer does not need to depend on database-specific exception types.
Exam traps
DataAccessExceptionis unchecked.@Repositoryis not only semantic; it can enable exception translation.
Week 5 Review Checklist
You must know:
- JDBC
JdbcTemplateDataAccessException- JPA
- Hibernate
- EntityManager
- persistence context
- Spring Data repositories
- derived queries
@Query- relationships
- lazy/eager loading
- exception translation
Week 6 — Transactions
Goal
Master @Transactional, transaction boundaries, rollback, propagation, isolation, and proxy limitations.
This is one of the most important exam areas.
Day 1 — Transaction Basics
Learn
A transaction is a unit of work.
ACID:
| Letter | Meaning |
|---|---|
| A | Atomicity |
| C | Consistency |
| I | Isolation |
| D | Durability |
Example:
@Transactional
public TaskResponse createTask(CreateTaskRequest request) {
Client client = clientRepository.findById(request.clientId())
.orElseThrow();
Task task = new Task(request.title(), client);
taskRepository.save(task);
auditRepository.save(new AuditLog("TASK_CREATED"));
return mapper.toResponse(task);
}
If something fails, the whole operation can roll back.
Day 2 — Where to Put @Transactional
Best practice
Put @Transactional on service-layer methods.
Why?
- service methods represent business use cases
- one use case may involve multiple repositories
- transaction boundary should cover the whole business operation
Avoid putting transactions mainly on controllers.
Exam traps
@Transactionalcan be placed on class or method.- Method-level annotation overrides class-level annotation.
- Public methods are normally proxied.
- Internal self-calls may bypass the proxy.
Day 3 — Rollback Rules
Learn
By default:
| Exception type | Rollback? |
|---|---|
| RuntimeException | yes |
| Error | yes |
| Checked Exception | no |
Example:
@Transactional(rollbackFor = IOException.class)
public void importFile() throws IOException {}
Exam traps
- Checked exceptions do not trigger rollback by default.
- You can customize rollback with
rollbackFor. - Catching and swallowing exceptions may prevent rollback.
Day 4 — Propagation
Learn
Transaction propagation defines how a transactional method behaves when called inside another transaction.
Important propagation types:
| Propagation | Meaning |
|---|---|
| REQUIRED | join existing transaction or create new one |
| REQUIRES_NEW | suspend existing and create new transaction |
| SUPPORTS | join if exists, otherwise run without transaction |
| MANDATORY | must have existing transaction |
| NEVER | fail if transaction exists |
| NOT_SUPPORTED | suspend transaction and run without one |
| NESTED | nested transaction with savepoint |
Most important for exam
REQUIREDREQUIRES_NEWMANDATORYNESTED
Exam trap
REQUIRES_NEW commits or rolls back independently from the outer transaction.
Day 5 — Isolation and Read-Only
Learn
Isolation controls how transactions see changes from other transactions.
Common problems:
| Problem | Meaning |
|---|---|
| Dirty read | read uncommitted data |
| Non-repeatable read | same row read twice gives different result |
| Phantom read | same query returns different rows |
Isolation levels:
@Transactional(isolation = Isolation.READ_COMMITTED)
Read-only:
@Transactional(readOnly = true)
Exam traps
- Isolation support depends on the database.
readOnly = trueis an optimization hint.- It does not always strictly prevent writes at the database level.
Week 6 Review Checklist
You must know:
- ACID
- transaction boundary
@Transactional- rollback rules
- checked vs unchecked exceptions
- propagation
- isolation
- read-only transactions
- self-invocation problem
- transaction proxies
Week 7 — AOP and Proxies
Goal
Understand Spring AOP and why proxies are central to transactions, security, and method interception.
Day 1 — AOP Mental Model
Learn
AOP means Aspect-Oriented Programming.
It solves cross-cutting concerns:
- logging
- security
- transactions
- metrics
- auditing
- caching
Instead of writing the same code in every method, Spring can apply behavior around method calls.
Vocabulary
| Term | Meaning |
|---|---|
| Aspect | module containing cross-cutting logic |
| Advice | action taken by an aspect |
| Pointcut | expression selecting where advice applies |
| Join point | point in execution, usually method execution |
| Weaving | applying aspects |
| Proxy | wrapper object that intercepts calls |
Day 2 — Advice Types
Learn
Advice types:
@Before
@After
@AfterReturning
@AfterThrowing
@Around
Most powerful:
@Around
Example:
@Around("execution(* com.example..*Service.*(..))")
public Object measure(ProceedingJoinPoint pjp) throws Throwable {
long start = System.currentTimeMillis();
try {
return pjp.proceed();
} finally {
long duration = System.currentTimeMillis() - start;
System.out.println("Duration: " + duration);
}
}
Exam traps
@Aroundmust callproceed()or the target method will not run.@Afterruns after method completion, regardless of success or exception.@AfterReturningonly runs after successful return.@AfterThrowingonly runs when exception is thrown.
Day 3 — Proxies
Learn
Spring often creates a proxy object around your bean.
Caller talks to proxy. Proxy adds behavior. Proxy calls target object.
Controller -> Service Proxy -> Real Service
Used by:
@Transactional- Spring Security method security
- caching
- AOP
Proxy types
| Proxy type | Used when |
|---|---|
| JDK dynamic proxy | interface-based proxy |
| CGLIB proxy | class-based proxy |
Exam traps
- Self-invocation bypasses proxy.
- Final methods/classes can be problematic for proxying.
- Private methods are not advised by Spring AOP.
- Spring AOP is proxy-based and method-execution focused.
Day 4 — AOP vs Filters vs Interceptors
Compare
| Mechanism | Layer |
|---|---|
| Servlet Filter | before request reaches Spring MVC |
| Spring HandlerInterceptor | around controller handling |
| AOP | around Spring bean method calls |
Use cases
| Need | Tool |
|---|---|
| authentication filter | Filter |
| request logging | Filter or Interceptor |
| controller timing | Interceptor |
| service method audit | AOP |
| transaction boundary | AOP proxy |
Day 5 — AOP Exam Summary
You must explain
@Transactional works because Spring creates a proxy around the service bean.
When another bean calls the service method, the call goes through the proxy.
The proxy opens a transaction before the method and commits or rolls back after the method.
If the method calls another method in the same class, the call does not go through the proxy.
That is why self-invocation can break transactional behavior.
Week 7 Review Checklist
You must know:
- AOP
- aspect
- advice
- pointcut
- join point
- proxy
- JDK dynamic proxy
- CGLIB
- self-invocation
- relationship between AOP and transactions
Week 8 — Spring Security
Goal
Understand the security filter chain, authentication, authorization, password encoding, CSRF, CORS, and method security.
Day 1 — Security Mental Model
Learn
Authentication:
Who are you?
Authorization:
What are you allowed to do?
Spring Security works mostly through filters.
Request flow:
HTTP request
-> Security filter chain
-> DispatcherServlet
-> Controller
Exam traps
- Security happens before controller execution.
- Spring Security is based on servlet filters for web security.
- Method security can also protect service methods.
Day 2 — SecurityFilterChain
Learn
Modern Spring Security uses SecurityFilterChain.
Example:
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/actuator/health").permitAll()
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults())
.build();
}
Exam traps
WebSecurityConfigurerAdapteris old style.SecurityFilterChainis current style.- Request matchers define authorization rules.
Day 3 — Users, Roles, Authorities
Learn
Important interfaces/classes:
UserDetails
UserDetailsService
GrantedAuthority
PasswordEncoder
Authentication
SecurityContext
SecurityContextHolder
Roles vs authorities
In Spring Security:
ROLE_ADMIN
is an authority.
hasRole("ADMIN") checks for:
ROLE_ADMIN
hasAuthority("ROLE_ADMIN") checks directly.
Exam traps
- Roles are usually stored as authorities with
ROLE_prefix. - Passwords should be encoded, not stored as plain text.
- BCrypt is commonly used.
Day 4 — CSRF and CORS
CSRF
CSRF protects browser-based session authentication from unwanted state-changing requests.
For stateless REST APIs using tokens, CSRF is often disabled.
But understand the reason, do not just memorize "disable CSRF".
CORS
CORS is a browser security mechanism.
Your React app at:
http://localhost:3000
calling backend at:
http://localhost:8080
is cross-origin.
Spring can configure allowed origins, methods, and headers.
Exam traps
- CSRF and CORS are different.
- CORS is enforced by browsers.
- CSRF is about unwanted authenticated actions.
- Disabling CSRF is common for stateless APIs, not always for session-based apps.
Day 5 — Method Security
Learn
Enable method security:
@EnableMethodSecurity
Use:
@PreAuthorize("hasRole('ADMIN')")
public void deleteTask(Long id) {}
Exam traps
- Method security also uses proxies.
- Self-invocation can affect method security.
- Controller security and method security can be combined.
Week 8 Review Checklist
You must know:
- authentication
- authorization
- filter chain
SecurityFilterChainUserDetailsUserDetailsServicePasswordEncoder- BCrypt
- roles and authorities
- CSRF
- CORS
- method security
@PreAuthorize
Week 9 — Testing
Goal
Understand Spring testing annotations and when to use each one.
Day 1 — Testing Pyramid
Learn
Test types:
| Test type | Speed | Purpose |
|---|---|---|
| Unit test | fastest | pure Java logic |
| Slice test | fast | one Spring layer |
| Integration test | slower | larger Spring context |
| End-to-end test | slowest | whole system |
Exam trap
Do not use @SpringBootTest for everything.
Day 2 — Unit Tests with Mockito
Learn
Use Mockito for service tests without Spring context.
@ExtendWith(MockitoExtension.class)
class TaskServiceTest {
@Mock
TaskRepository taskRepository;
@InjectMocks
TaskService taskService;
}
Exam traps
- Unit tests do not need Spring.
- Mockito mocks dependencies.
- Fast tests are useful for business logic.
Day 3 — MVC Slice Tests
Learn
Use:
@WebMvcTest(TaskController.class)
Usually with:
MockMvc
@MockBean
Example purpose:
- test request mapping
- test validation
- test status codes
- test JSON response
- test controller behavior
Exam traps
@WebMvcTestdoes not load full application context.- Service beans usually need to be mocked.
- It focuses on web layer.
Day 4 — JPA Slice Tests
Learn
Use:
@DataJpaTest
Purpose:
- test repositories
- test entity mapping
- test queries
- test persistence behavior
Exam traps
@DataJpaTestloads JPA-related components.- It usually uses an embedded database by default unless configured otherwise.
- Tests are often transactional and roll back after each test.
Day 5 — Full Integration Tests
Learn
Use:
@SpringBootTest
Purpose:
- load full context
- test multiple layers together
- test real configuration
- test application wiring
Optional:
@AutoConfigureMockMvc
Exam traps
@SpringBootTestis heavier.- It is useful but should not replace smaller tests.
- It loads the full application context.
Week 9 Review Checklist
You must know:
- JUnit 5
- Mockito
@SpringBootTest@WebMvcTest@DataJpaTestMockMvc@MockBean- test profiles
- transaction rollback in tests
- unit vs integration tests
Week 10 — Actuator, Production Readiness, Final Exam Review
Goal
Understand production-ready features and finish the exam cheat sheet.
Day 1 — Actuator
Learn
Actuator provides production-ready endpoints.
Common endpoints:
/actuator/health
/actuator/info
/actuator/metrics
/actuator/env
/actuator/beans
/actuator/conditions
Configuration
management:
endpoints:
web:
exposure:
include: health,info,metrics
Exam traps
- Do not expose all endpoints publicly in production.
- Health endpoint is commonly exposed.
- Actuator can show conditions and bean information.
Day 2 — Logging
Learn
Spring Boot uses logging abstraction and default logging configuration.
Common levels:
TRACE
DEBUG
INFO
WARN
ERROR
Example:
logging:
level:
org.springframework.security: DEBUG
Exam traps
- Debug logging can help understand auto-configuration and security.
- Do not enable too much debug logging in production.
Day 3 — Packaging and Running
Learn
Spring Boot applications can be packaged as executable jars.
Run:
java -jar app.jar
Change profile:
java -jar app.jar --spring.profiles.active=prod
Environment variable:
SPRING_PROFILES_ACTIVE=prod java -jar app.jar
Exam traps
- Spring Boot uses embedded server by default for web apps.
- You do not need to deploy a WAR to external Tomcat for common Boot apps.
Day 4 — Final Weak Areas
Review all weak topics:
## Weak Topic
Why I was wrong:
Correct explanation:
Code proof:
Exam trap:
Final memory sentence:
Day 5 — Final Mock Exam Routine
Do a mock exam simulation:
# Mock Exam Log
Date:
Score:
Time used:
Weak areas:
Top 10 wrong questions:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Topics to review tomorrow:
Final Exam Cheat Sheet
Spring Core
IoC
IoC means the framework controls object creation and wiring.
Dependency Injection
DI means dependencies are provided from outside, usually by the Spring container.
Bean
A bean is an object managed by Spring.
ApplicationContext
The main Spring container. It manages beans, configuration, events, environment, and lifecycle.
Component Scanning
Spring scans packages for stereotype annotations like @Component, @Service, @Repository, and @Controller.
@Component vs @Bean
@Component: annotate your own class.@Bean: create a bean manually in a configuration class.
@Primary vs @Qualifier
@Primary: default bean when multiple candidates exist.@Qualifier: choose a specific bean explicitly.
Bean Lifecycle
Order summary:
- Instantiate
- Inject dependencies
- Aware callbacks
- BeanPostProcessor before init
- Init callbacks
- BeanPostProcessor after init
- Bean ready
- Destroy callbacks
Spring Boot
@SpringBootApplication
Combination of:
@Configuration
@EnableAutoConfiguration
@ComponentScan
Auto-Configuration
Spring Boot creates beans automatically based on classpath, properties, existing beans, and conditions.
Starters
Dependency bundles that simplify Maven/Gradle configuration.
Spring MVC
DispatcherServlet
Front controller that receives requests and dispatches them to controllers.
@RestController
Equivalent to:
@Controller
@ResponseBody
Request Annotations
| Annotation | Purpose |
|---|---|
@RequestBody | JSON body |
@PathVariable | path value |
@RequestParam | query parameter |
@Valid | trigger validation |
Data Access
JDBC
Low-level database access API.
JdbcTemplate
Spring helper that reduces JDBC boilerplate.
JPA
Specification for ORM.
Hibernate
Popular JPA implementation.
Spring Data JPA
Creates repository implementations automatically.
Transactions
@Transactional
Creates a transaction around a method using Spring AOP proxy.
Rollback Default
| Exception | Rollback |
|---|---|
| RuntimeException | yes |
| Error | yes |
| Checked Exception | no |
Propagation
Most important:
- REQUIRED
- REQUIRES_NEW
- MANDATORY
- NESTED
Self-Invocation
A method inside the same class calling another transactional method bypasses the proxy.
AOP
Aspect
Class containing cross-cutting behavior.
Advice
Action executed at a join point.
Pointcut
Expression selecting where advice applies.
Proxy
Wrapper object used by Spring to add behavior around method calls.
Security
Authentication
Who are you?
Authorization
What are you allowed to do?
SecurityFilterChain
Defines web security rules.
CSRF
Protection against unwanted browser-based authenticated requests.
CORS
Browser mechanism for cross-origin requests.
Testing
@SpringBootTest
Loads full application context.
@WebMvcTest
Loads web layer only.
@DataJpaTest
Loads JPA layer only.
MockMvc
Tests MVC requests without starting a real server.
Actuator
Production-ready endpoints for:
- health
- metrics
- info
- beans
- conditions
- environment
Do not expose all endpoints publicly in production.
Exam-Style Question Bank
Use these questions for active recall.
Spring Core
- What is IoC?
- What is Dependency Injection?
- What is a Spring bean?
- What is
ApplicationContext? - What is the difference between
BeanFactoryandApplicationContext? - What is component scanning?
- What does
@Componentdo? - What is the difference between
@Componentand@Bean? - What is the difference between
@Serviceand@Repository? - Why is constructor injection recommended?
- What happens if two beans match one dependency?
- What does
@Primarydo? - What does
@Qualifierdo? - What is the default bean scope?
- What is the difference between singleton and prototype scope?
- What is a bean lifecycle callback?
- When does
@PostConstructrun? - What does
BeanPostProcessordo? - What are profiles?
- What is the difference between
@Valueand@ConfigurationProperties?
Spring Boot
- What does
@SpringBootApplicationinclude? - What is auto-configuration?
- What is a starter?
- How does Spring Boot decide what to auto-configure?
- How can you override an auto-configured bean?
- What is
@ConditionalOnMissingBean? - What is embedded Tomcat?
- What is
CommandLineRunner? - What is
ApplicationRunner? - How do you enable debug information for auto-configuration?
Spring MVC
- What is DispatcherServlet?
- What is
@RestController? - What is the difference between
@Controllerand@RestController? - What does
@RequestBodydo? - What does
@PathVariabledo? - What does
@RequestParamdo? - What is
ResponseEntity? - What is validation?
- Why do we use DTOs?
- What does
@ControllerAdvicedo?
Data Access
- What is JDBC?
- What does
JdbcTemplatedo? - What is
DataAccessException? - What is JPA?
- What is Hibernate?
- What is an entity?
- What is EntityManager?
- What is persistence context?
- What is Spring Data JPA?
- How do derived query methods work?
- What is lazy loading?
- What is the N+1 problem?
- Why can exposing entities in REST APIs be problematic?
Transactions
- What does
@Transactionaldo? - Where should transaction boundaries usually be placed?
- Which exceptions trigger rollback by default?
- How do you roll back on a checked exception?
- What is transaction propagation?
- What does REQUIRED mean?
- What does REQUIRES_NEW mean?
- What does MANDATORY mean?
- What is transaction isolation?
- What is a dirty read?
- What is a non-repeatable read?
- What is a phantom read?
- What is the self-invocation problem?
AOP
- What is AOP?
- What is an aspect?
- What is advice?
- What is a pointcut?
- What is a join point?
- What does
@Arounddo? - Why must
proceed()be called? - What is a proxy?
- What is the difference between JDK dynamic proxy and CGLIB proxy?
- How is AOP related to
@Transactional?
Security
- What is authentication?
- What is authorization?
- What is SecurityFilterChain?
- What is UserDetails?
- What is UserDetailsService?
- What is PasswordEncoder?
- What is BCrypt?
- What is the difference between role and authority?
- What is CSRF?
- What is CORS?
- When is disabling CSRF reasonable?
- What is method security?
- What does
@PreAuthorizedo?
Testing
- What is a unit test?
- What is an integration test?
- What does
@SpringBootTestload? - What does
@WebMvcTestload? - What does
@DataJpaTestload? - What is MockMvc?
- What is
@MockBean? - Why are slice tests useful?
- How do transactions behave in tests?
- What is a test profile?
- Why should not every test use
@SpringBootTest?
Actuator
- What is Actuator?
- What is
/actuator/health? - What is
/actuator/metrics? - What is
/actuator/conditions? - Why should Actuator endpoints be secured?
Flashcard Template
Use this for Anki or Markdown flashcards.
## Card
Q:
A:
Code example:
Exam trap:
Memory sentence:
Example:
## Card
Q: What does @SpringBootApplication include?
A: It combines @Configuration, @EnableAutoConfiguration, and @ComponentScan.
Code example:
@SpringBootApplication
public class App {}
Exam trap:
Many developers only know that it starts the app, but the exam expects the three internal annotations.
Memory sentence:
Spring Boot starts with configuration, auto-configuration, and component scanning.
Personal Study Rules
- Do not only memorize annotations.
- Always ask: "What problem does this solve?"
- Always ask: "What does Spring do internally?"
- Always compare similar annotations.
- Always know the default behavior.
- Always know how to override the default behavior.
- Always know the exam trap.
- Always make one tiny code proof.
- Always explain the topic in simple words.
- Review mistakes more than correct answers.
Final 14-Day Exam Countdown
Day -14
Review Spring Core.
Day -13
Review configuration, profiles, properties, and lifecycle.
Day -12
Review Spring Boot and auto-configuration.
Day -11
Review Spring MVC and REST.
Day -10
Review validation and exception handling.
Day -9
Review JDBC, JPA, Spring Data.
Day -8
Review transactions.
Day -7
Review AOP and proxies.
Day -6
Review Spring Security.
Day -5
Review testing annotations.
Day -4
Review Actuator and production readiness.
Day -3
Mock exam 1 and mistake analysis.
Day -2
Mock exam 2 and weak topic repair.
Day -1
Light review only. No heavy new topics.
Exam Day
Before the exam, review:
@SpringBootApplication- bean scopes
- lifecycle
@Transactional- rollback rules
- propagation
- AOP proxy behavior
- Spring MVC request flow
- testing annotations
- security filter chain
- Actuator security
One-Sentence Memory Bank
Use these sentences for fast review.
- Spring manages objects through the IoC container.
- A Spring bean is an object created and managed by Spring.
- Dependency Injection means dependencies are provided from outside.
- Constructor injection is preferred because dependencies are explicit and immutable.
@Componentregisters a class through scanning.@Beanregisters the return value of a method.@Repositorycan enable exception translation.- The default bean scope is singleton.
- Spring singleton means one instance per container.
@PostConstructruns after dependency injection.@SpringBootApplicationcombines configuration, auto-configuration, and component scanning.- Auto-configuration depends on classpath, properties, conditions, and existing beans.
- Starters are dependency bundles.
- DispatcherServlet is the front controller of Spring MVC.
@RestControllerreturns response bodies directly.@RequestBodymaps JSON body to Java object.@Validtriggers validation.@ControllerAdvicehandles exceptions globally.- JdbcTemplate reduces JDBC boilerplate.
- JPA is a specification; Hibernate is an implementation.
- Spring Data JPA generates repository implementations.
- Transactions belong mostly in the service layer.
- Runtime exceptions trigger rollback by default.
- Checked exceptions do not trigger rollback by default.
REQUIRES_NEWstarts an independent transaction.- Spring AOP is proxy-based.
- Self-invocation bypasses Spring proxies.
@Transactionalworks through a proxy.- Authentication means who you are.
- Authorization means what you can do.
- Spring Security web protection uses a filter chain.
- CSRF and CORS are different problems.
@SpringBootTestloads the full context.@WebMvcTesttests the web layer.@DataJpaTesttests the persistence layer.- Actuator provides production-ready monitoring endpoints.
Final Readiness Checklist
Before booking the exam, you should be able to do all of this:
[ ] Explain IoC without notes
[ ] Explain DI without notes
[ ] Explain ApplicationContext without notes
[ ] Compare @Component and @Bean
[ ] Compare @Service and @Repository
[ ] Explain bean scopes
[ ] Explain bean lifecycle
[ ] Explain profiles
[ ] Explain @ConfigurationProperties
[ ] Explain @SpringBootApplication
[ ] Explain auto-configuration
[ ] Explain starters
[ ] Explain conditional annotations
[ ] Explain DispatcherServlet
[ ] Build a REST controller from memory
[ ] Explain DTOs
[ ] Explain validation
[ ] Explain @ControllerAdvice
[ ] Explain JdbcTemplate
[ ] Explain JPA vs Hibernate
[ ] Explain Spring Data repositories
[ ] Explain lazy loading
[ ] Explain @Transactional
[ ] Explain rollback rules
[ ] Explain propagation
[ ] Explain isolation
[ ] Explain self-invocation
[ ] Explain AOP terms
[ ] Explain Spring proxies
[ ] Explain SecurityFilterChain
[ ] Explain authentication vs authorization
[ ] Explain CSRF
[ ] Explain CORS
[ ] Explain method security
[ ] Explain @SpringBootTest
[ ] Explain @WebMvcTest
[ ] Explain @DataJpaTest
[ ] Explain MockMvc
[ ] Explain Actuator
[ ] Score consistently well on mock exams
Recommended Next Step
Start with this file:
01-spring-core-notes.md
And write your own answers to these five questions:
- What problem does Spring solve?
- What is IoC?
- What is Dependency Injection?
- What is a bean?
- What happens when a Spring Boot application starts?
Do not copy answers from a tutorial. Write them in your own words.
When you can explain those five clearly, move to Week 1 Day 2.