Skip to main content

Spring Certified Professional — Theory-First Curriculum

Profile: React / full-stack developer with existing project experience Goal: Reinforce Spring theory and prepare for the Spring Certified Professional exam Style: Certification-first, theory-heavy, step-by-step, with small focused exercises Recommended duration: 10–12 weeks Daily time: 1.5–2.5 hours Main rule: Do not build another huge project. Use small code experiments only to prove the theory.


0. Certification Target

Target certification:

  • Spring Certified Professional 2024
  • Exam: Spring Professional Develop 2V0-72.22

Core exam areas to master:

  1. Spring Core
  2. Dependency Injection
  3. Bean lifecycle
  4. Configuration
  5. Spring Boot
  6. Auto-configuration
  7. Spring MVC and REST
  8. Validation and error handling
  9. Data access
  10. Transactions
  11. AOP and proxies
  12. Spring Security
  13. Testing
  14. Actuator and production readiness

1. How to Use This Curriculum

This curriculum is not a normal "learn Spring Boot" course.

You already built projects. So the goal is:

  • understand why Spring works
  • know what happens internally
  • prepare for exam-style questions
  • explain Spring concepts clearly in interviews
  • remove weak theory gaps

For every topic, follow this format:

## Topic Name

### 1. What is it?

Explain the idea in simple language.

### 2. Why does it exist?

Explain the problem it solves.

### 3. How does Spring implement it?

Mention annotations, classes, container behavior, proxies, or auto-configuration.

### 4. Common exam traps

List tricky points.

### 5. Tiny code proof

Write the smallest possible code to prove the concept.

### 6. Interview answer

Explain the concept in 5–8 sentences.

2. Weekly Structure

Each week has five study days plus review.

DayActivity
MondayRead theory and write notes
TuesdayCompare annotations and concepts
WednesdayDo tiny code experiments
ThursdayAnswer practice questions
FridayExplain concepts out loud
SaturdayReview mistakes and update cheat sheet
SundayRest or light flashcards

3. Daily Study Template

Use this every day.

# Daily Spring Study Log

Date:

## Topic

## What I learned

## Key annotations

## What Spring does internally

## Common traps

## 5 exam questions I can now answer

1.
2.
3.
4.
5.

## One small code proof

## My weak point today

## My final explanation in simple words

Recommended daily flow:

TimeTask
20 minRead official theory
25 minWrite your own explanation
25 minCompare similar concepts
25 minSmall code experiment
20 minPractice questions
15 minFlashcards

10-Week Certification Plan


Week 1 — Spring Core Mental Model

Goal

Understand Spring as a container that creates, connects, configures, and manages objects.

Main questions

By the end of this week, you must answer:

  • What is Spring Framework?
  • What is the IoC container?
  • What is Dependency Injection?
  • What is a bean?
  • What is ApplicationContext?
  • What is the difference between Spring and Spring Boot?
  • Why does Spring create objects instead of us using new everywhere?

Day 1 — What Problem Does Spring Solve?

Learn

Before Spring, applications often had many classes creating each other manually.

Example:

UserRepository repository = new UserRepository();
EmailService emailService = new EmailService();
UserService userService = new UserService(repository, emailService);

This creates problems:

  • hard to test
  • hard to replace dependencies
  • hard to configure
  • hard to manage object lifecycle
  • hard to reuse infrastructure

Spring solves this with the IoC container.

Key idea

IoC means:

Instead of your code controlling object creation, the Spring container controls object creation.

React comparison

In React, you often think in components:

<App>
<UserPage />
</App>

React controls rendering and lifecycle.

In Spring:

@Service
public class UserService {}

Spring controls object creation and lifecycle.

Tiny code proof

Create one service manually and one service with Spring.

Manual:

TaskRepository repository = new InMemoryTaskRepository();
TaskService service = new TaskService(repository);

Spring:

@Service
public class TaskService {
private final TaskRepository repository;

public TaskService(TaskRepository repository) {
this.repository = repository;
}
}

Exam traps

  • IoC and DI are related but not identical.
  • IoC is the principle.
  • DI is one implementation of IoC.
  • Spring does not magically know all classes. It discovers beans through configuration and component scanning.

Day 2 — ApplicationContext and BeanFactory

Learn

ApplicationContext is the main Spring container used in modern applications.

It can:

  • create beans
  • wire dependencies
  • manage bean lifecycle
  • publish events
  • resolve messages
  • read environment properties
  • support profiles

BeanFactory is a more basic container. ApplicationContext extends it and adds enterprise features.

Must know

ConceptMeaning
BeanFactoryBasic bean container
ApplicationContextFull-featured Spring container
BeanObject managed by Spring
BeanDefinitionMetadata describing how to create a bean

Exam traps

  • A Spring bean is not just any Java object.
  • A bean is an object managed by the Spring container.
  • ApplicationContext eagerly creates singleton beans by default.
  • Lazy initialization can change this behavior.

Small exercise

Write notes answering:

What happens when a Spring Boot application starts?

Expected answer:

  1. SpringApplication starts.
  2. ApplicationContext is created.
  3. Configuration classes are processed.
  4. Component scanning runs.
  5. Bean definitions are registered.
  6. Singleton beans are created.
  7. Dependencies are injected.
  8. Lifecycle callbacks run.
  9. Embedded web server starts if it is a web app.

Day 3 — Beans and Bean Definitions

Learn

A bean has:

  • name
  • type
  • scope
  • dependencies
  • lifecycle callbacks
  • initialization behavior

Bean registration can happen through:

@Component
@Service
@Repository
@Controller
@Configuration
@Bean

Compare

AnnotationPurpose
@ComponentGeneric Spring-managed component
@ServiceService layer specialization
@RepositoryPersistence layer specialization
@ControllerMVC controller
@RestControllerREST controller = @Controller + @ResponseBody
@ConfigurationDefines configuration class
@BeanCreates a bean manually from a method

Exam trap

@Service and @Repository are specializations of @Component.

But @Repository also supports persistence exception translation.

Small exercise

Answer:

When should I use @Component and when should I use @Bean?

Expected answer:

  • Use @Component / @Service when the class is yours and can be annotated.
  • Use @Bean when creating third-party classes, library objects, or when construction needs custom logic.

Day 4 — Dependency Injection

Learn

Dependency Injection means an object receives its dependencies from outside instead of creating them itself.

Types:

  1. Constructor injection
  2. Setter injection
  3. Field injection

Best practice:

@Service
public class TaskService {
private final TaskRepository repository;

public TaskService(TaskRepository repository) {
this.repository = repository;
}
}

Avoid:

@Autowired
private TaskRepository repository;

Why constructor injection is best

  • makes dependencies explicit
  • supports immutability
  • easier to test
  • avoids null dependencies
  • works well with required dependencies

Exam traps

  • @Autowired on a single constructor is optional in modern Spring.
  • Field injection works but is discouraged.
  • If multiple beans match one dependency, Spring fails unless you use @Primary, @Qualifier, or a more specific type.

Tiny code proof

Create two implementations:

public interface NotificationSender {
void send(String message);
}
@Component
public class EmailNotificationSender implements NotificationSender {}
@Component
public class SmsNotificationSender implements NotificationSender {}

Then fix ambiguity with:

@Qualifier("emailNotificationSender")

Day 5 — Component Scanning

Learn

Spring finds annotated classes through component scanning.

@SpringBootApplication includes @ComponentScan.

By default, it scans the package of the main application class and subpackages.

Example

@SpringBootApplication
public class MyApplication {}

If this class is in:

com.example.app

Spring scans:

com.example.app.*

But not:

com.other.*

Exam traps

  • Package structure matters.
  • A class with @Service will not become a bean if it is outside the scanned package.
  • You can customize scanning with @ComponentScan.

Small exercise

Write:

Why should the main Spring Boot class be placed in the root package?

Week 1 Review Checklist

You are ready to continue if you can explain:

  • IoC
  • DI
  • Bean
  • ApplicationContext
  • Component scanning
  • @Component vs @Bean
  • @Service vs @Repository
  • constructor injection
  • @Primary
  • @Qualifier

Week 2 — Configuration, Profiles, Properties, Bean Lifecycle

Goal

Understand how Spring configures applications and manages bean creation from start to shutdown.


Day 1 — Java Configuration

Learn

Modern Spring prefers Java configuration over XML.

Example:

@Configuration
public class AppConfig {

@Bean
public Clock clock() {
return Clock.systemUTC();
}
}

Important

@Configuration classes are proxied by Spring.

That means if one @Bean method calls another @Bean method, Spring can return the managed singleton bean instead of creating a new object manually.

Exam traps

  • @Configuration is stronger than plain @Component.
  • @Bean methods in @Configuration classes are proxied by CGLIB.
  • @Bean method names become bean names by default.

Day 2 — External Configuration

Learn

Spring Boot reads configuration from many places:

  • application.properties
  • application.yml
  • environment variables
  • command-line arguments
  • profile-specific files
  • config server, if used

Example:

app:
name: task-api
max-tasks-per-user: 50

Using @Value:

@Value("${app.name}")
private String appName;

Using @ConfigurationProperties:

@ConfigurationProperties(prefix = "app")
public class AppProperties {
private String name;
private int maxTasksPerUser;
}

Prefer

Use @ConfigurationProperties for grouped config.

Use @Value for simple one-off values.

Exam traps

  • @ConfigurationProperties is type-safe.
  • It needs to be enabled through component scanning, @EnableConfigurationProperties, or configuration properties scanning.
  • Environment variables can override property files.

Day 3 — Profiles

Learn

Profiles allow different beans or config for different environments.

Example:

spring:
profiles:
active: dev

Profile-specific files:

application-dev.yml
application-test.yml
application-prod.yml

Profile-specific bean:

@Profile("dev")
@Bean
public DataSource devDataSource() {}

Common profile use cases

ProfilePurpose
devlocal development
testautomated tests
prodproduction
dockercontainer environment

Exam traps

  • Profiles can activate beans.
  • Profiles can activate property files.
  • Multiple profiles can be active.
  • @Profile("!prod") means active when prod is not active.

Day 4 — Bean Scopes

Learn

Common scopes:

ScopeMeaning
singletonone bean per Spring container
prototypenew instance each time requested
requestone bean per HTTP request
sessionone bean per HTTP session
applicationone bean per ServletContext
websocketone bean per WebSocket session

Default scope:

singleton

Important

Singleton in Spring means:

one instance per Spring container

It does not mean Java singleton pattern.

Exam trap

Injecting a prototype bean into a singleton bean does not automatically create a new prototype instance each time you use it.

To solve this, use:

  • ObjectProvider<T>
  • Provider<T>
  • lookup method injection
  • scoped proxy

Day 5 — Bean Lifecycle

Learn

Bean lifecycle simplified:

  1. Instantiate bean
  2. Populate dependencies
  3. Aware callbacks
  4. BeanPostProcessor before initialization
  5. Initialization callbacks
  6. BeanPostProcessor after initialization
  7. Bean is ready
  8. Destruction callbacks on shutdown

Common callbacks:

@PostConstruct
public void init() {}
@PreDestroy
public void cleanup() {}

Other options:

InitializingBean
DisposableBean
@Bean(initMethod = "init", destroyMethod = "cleanup")

Exam traps

  • BeanPostProcessor can modify beans before and after initialization.
  • AOP proxies are often created through post-processors.
  • @PostConstruct runs after dependency injection.
  • @PreDestroy does not usually run for prototype beans automatically.

Week 2 Review Checklist

You must know:

  • @Configuration
  • @Bean
  • @Value
  • @ConfigurationProperties
  • profiles
  • property overriding
  • singleton scope
  • prototype scope
  • request/session scope
  • bean lifecycle
  • BeanPostProcessor
  • @PostConstruct
  • @PreDestroy

Week 3 — Spring Boot and Auto-Configuration

Goal

Understand what Spring Boot adds on top of Spring Framework.


Day 1 — Spring Boot Mental Model

Learn

Spring Boot helps you create production-ready Spring applications quickly.

It provides:

  • starter dependencies
  • auto-configuration
  • embedded web server
  • externalized configuration
  • Actuator
  • opinionated defaults

Key annotation

@SpringBootApplication

It combines:

@Configuration
@EnableAutoConfiguration
@ComponentScan

Exam trap

Many people know @SpringBootApplication, but not what it contains.


Day 2 — Starters

Learn

Starters are dependency bundles.

Examples:

spring-boot-starter-web
spring-boot-starter-data-jpa
spring-boot-starter-security
spring-boot-starter-test
spring-boot-starter-actuator

Why they exist

Without starters, you would manually choose compatible versions for many libraries.

With starters, Spring Boot manages compatible dependencies.

Exam traps

  • A starter is not magic code.
  • It is mostly dependency management.
  • Starters work together with auto-configuration.

Day 3 — Auto-Configuration

Learn

Auto-configuration means Spring Boot configures beans automatically based on:

  • classes on the classpath
  • existing beans
  • property values
  • environment
  • web application type

Example:

If spring-boot-starter-web is on the classpath, Boot configures:

  • DispatcherServlet
  • embedded Tomcat
  • JSON converter
  • error handling
  • MVC infrastructure

Common conditional annotations

@ConditionalOnClass
@ConditionalOnMissingBean
@ConditionalOnBean
@ConditionalOnProperty
@ConditionalOnWebApplication

Exam traps

  • Auto-configuration backs off when you define your own bean.
  • @ConditionalOnMissingBean is important.
  • Auto-configuration does not mean you cannot customize behavior.

Day 4 — SpringApplication and Runners

Learn

Application startup:

SpringApplication.run(App.class, args);

You can run code after startup:

@Bean
CommandLineRunner runner() {
return args -> {
System.out.println("Application started");
};
}

Also:

ApplicationRunner

Difference

InterfaceArgument type
CommandLineRunnerraw String array
ApplicationRunnerparsed ApplicationArguments

Day 5 — Boot Configuration Debugging

Learn

You need to know how to inspect auto-configuration.

Useful tools:

debug=true

Actuator endpoint:

/actuator/conditions

Startup logs can show which auto-configurations matched or did not match.

Small exercise

Turn on debug mode and answer:

Which auto-configurations are active in my app?
Which ones did not match?
Why?

Week 3 Review Checklist

You must know:

  • Spring vs Spring Boot
  • @SpringBootApplication
  • starters
  • auto-configuration
  • conditional annotations
  • embedded server
  • overriding auto-configured beans
  • CommandLineRunner
  • ApplicationRunner

Week 4 — Spring MVC and REST

Goal

Understand how Spring receives HTTP requests and returns HTTP responses.


Day 1 — DispatcherServlet

Learn

DispatcherServlet is the front controller in Spring MVC.

Request flow:

  1. Client sends HTTP request.
  2. DispatcherServlet receives it.
  3. HandlerMapping finds the controller method.
  4. Argument resolvers prepare method arguments.
  5. Controller method runs.
  6. Return value handlers process response.
  7. Message converters serialize response to JSON.
  8. HTTP response is sent.

Exam traps

  • DispatcherServlet is central to Spring MVC.
  • Controllers do not directly listen on sockets.
  • JSON conversion is handled by HTTP message converters.

Day 2 — Controllers and Request Mapping

Learn

Common annotations:

@RestController
@RequestMapping("/api/tasks")
@GetMapping
@PostMapping
@PutMapping
@PatchMapping
@DeleteMapping
@PathVariable
@RequestParam
@RequestBody

Example:

@GetMapping("/{id}")
public TaskResponse getTask(@PathVariable Long id) {
return taskService.findById(id);
}

Exam traps

  • @RestController = @Controller + @ResponseBody.
  • @RequestBody reads JSON body.
  • @PathVariable reads URL path.
  • @RequestParam reads query parameters.

Day 3 — DTOs and Message Conversion

Learn

DTO means Data Transfer Object.

Use DTOs for API input/output.

Do not expose JPA entities directly.

Why?

  • avoids lazy loading problems
  • protects internal data model
  • controls API shape
  • prevents accidental updates
  • improves validation

Example

public record CreateTaskRequest(
String title,
Long clientId
) {}
public record TaskResponse(
Long id,
String title,
String status
) {}

Exam traps

  • Jackson usually handles JSON serialization/deserialization.
  • Spring uses HttpMessageConverter.
  • Records work well as DTOs.

Day 4 — Validation

Learn

Validation uses Jakarta Bean Validation.

Common annotations:

@NotNull
@NotBlank
@Size
@Email
@Min
@Max
@Pattern
@Valid

Example:

public record CreateTaskRequest(
@NotBlank String title,
@NotNull Long clientId
) {}

Controller:

@PostMapping
public ResponseEntity<TaskResponse> create(@Valid @RequestBody CreateTaskRequest request) {}

Exam traps

  • @Valid triggers validation.
  • Validation errors can be handled globally.
  • Method parameter validation may require additional setup depending on use case.

Day 5 — Exception Handling

Learn

Use @ControllerAdvice for global exception handling.

@RestControllerAdvice
public class GlobalExceptionHandler {

@ExceptionHandler(TaskNotFoundException.class)
public ResponseEntity<ApiError> handle(TaskNotFoundException ex) {
return ResponseEntity.status(HttpStatus.NOT_FOUND)
.body(new ApiError("TASK_NOT_FOUND", ex.getMessage()));
}
}

Exam traps

  • @ExceptionHandler can be local or global.
  • @ControllerAdvice applies across controllers.
  • ResponseEntity gives control over status, headers, and body.

Week 4 Review Checklist

You must know:

  • DispatcherServlet
  • HandlerMapping
  • @RestController
  • request mapping annotations
  • @RequestBody
  • @PathVariable
  • @RequestParam
  • DTOs
  • Jackson
  • validation
  • exception handling
  • ResponseEntity

Week 5 — Data Access

Goal

Understand Spring JDBC, JPA, Spring Data, repositories, and exception translation.


Day 1 — JDBC and JdbcTemplate

Learn

JDBC is the low-level Java API for database access.

Spring provides JdbcTemplate to reduce boilerplate.

Without Spring JDBC:

  • open connection
  • create statement
  • execute query
  • map result
  • handle exceptions
  • close resources

With JdbcTemplate:

List<Client> clients = jdbcTemplate.query(
"select id, name from clients",
(rs, rowNum) -> new Client(rs.getLong("id"), rs.getString("name"))
);

Exam traps

  • JdbcTemplate handles resource management.
  • It translates SQL exceptions into Spring DataAccessException.
  • Spring data access exceptions are unchecked.

Day 2 — JPA and Hibernate

Learn

JPA is a specification. Hibernate is an implementation.

JPA lets you map Java objects to database tables.

Example:

@Entity
public class Task {

@Id
@GeneratedValue
private Long id;

private String title;
}

Must know

ConceptMeaning
EntityPersistent domain object
EntityManagerJPA API for persistence operations
Persistence contextFirst-level cache / managed entity context
HibernateJPA provider
Dirty checkingHibernate detects changed managed entities

Exam traps

  • JPA is not Hibernate.
  • Hibernate implements JPA.
  • Managed entities are tracked.
  • Detached entities are not automatically tracked.

Day 3 — Spring Data JPA

Learn

Spring Data JPA reduces repository boilerplate.

public interface TaskRepository extends JpaRepository<Task, Long> {
List<Task> findByStatus(TaskStatus status);
}

Spring creates the implementation at runtime.

Query options

  1. Derived query methods
  2. @Query
  3. Specifications
  4. Query by Example
  5. Custom repository implementation

Exam traps

  • JpaRepository extends PagingAndSortingRepository and CrudRepository concepts.
  • Repository implementations are generated by Spring Data.
  • Method names are parsed into queries.

Day 4 — Relationships and Fetching

Learn

Common relationships:

@OneToMany
@ManyToOne
@OneToOne
@ManyToMany

Example:

@ManyToOne(fetch = FetchType.LAZY)
private Client client;

Lazy vs eager

Fetch typeMeaning
LAZYload when needed
EAGERload immediately

Exam traps

  • Lazy loading needs an open persistence context.
  • Lazy loading can cause N+1 query problems.
  • EAGER is not always better.
  • DTO queries can avoid unnecessary entity loading.

Day 5 — Exception Translation

Learn

@Repository enables persistence exception translation.

Database-specific exceptions become Spring's consistent exception hierarchy.

Example:

SQLException -> DataAccessException

Why useful?

Your service layer does not need to depend on database-specific exception types.

Exam traps

  • DataAccessException is unchecked.
  • @Repository is not only semantic; it can enable exception translation.

Week 5 Review Checklist

You must know:

  • JDBC
  • JdbcTemplate
  • DataAccessException
  • JPA
  • Hibernate
  • EntityManager
  • persistence context
  • Spring Data repositories
  • derived queries
  • @Query
  • relationships
  • lazy/eager loading
  • exception translation

Week 6 — Transactions

Goal

Master @Transactional, transaction boundaries, rollback, propagation, isolation, and proxy limitations.

This is one of the most important exam areas.


Day 1 — Transaction Basics

Learn

A transaction is a unit of work.

ACID:

LetterMeaning
AAtomicity
CConsistency
IIsolation
DDurability

Example:

@Transactional
public TaskResponse createTask(CreateTaskRequest request) {
Client client = clientRepository.findById(request.clientId())
.orElseThrow();

Task task = new Task(request.title(), client);
taskRepository.save(task);

auditRepository.save(new AuditLog("TASK_CREATED"));

return mapper.toResponse(task);
}

If something fails, the whole operation can roll back.


Day 2 — Where to Put @Transactional

Best practice

Put @Transactional on service-layer methods.

Why?

  • service methods represent business use cases
  • one use case may involve multiple repositories
  • transaction boundary should cover the whole business operation

Avoid putting transactions mainly on controllers.

Exam traps

  • @Transactional can be placed on class or method.
  • Method-level annotation overrides class-level annotation.
  • Public methods are normally proxied.
  • Internal self-calls may bypass the proxy.

Day 3 — Rollback Rules

Learn

By default:

Exception typeRollback?
RuntimeExceptionyes
Erroryes
Checked Exceptionno

Example:

@Transactional(rollbackFor = IOException.class)
public void importFile() throws IOException {}

Exam traps

  • Checked exceptions do not trigger rollback by default.
  • You can customize rollback with rollbackFor.
  • Catching and swallowing exceptions may prevent rollback.

Day 4 — Propagation

Learn

Transaction propagation defines how a transactional method behaves when called inside another transaction.

Important propagation types:

PropagationMeaning
REQUIREDjoin existing transaction or create new one
REQUIRES_NEWsuspend existing and create new transaction
SUPPORTSjoin if exists, otherwise run without transaction
MANDATORYmust have existing transaction
NEVERfail if transaction exists
NOT_SUPPORTEDsuspend transaction and run without one
NESTEDnested transaction with savepoint

Most important for exam

  • REQUIRED
  • REQUIRES_NEW
  • MANDATORY
  • NESTED

Exam trap

REQUIRES_NEW commits or rolls back independently from the outer transaction.


Day 5 — Isolation and Read-Only

Learn

Isolation controls how transactions see changes from other transactions.

Common problems:

ProblemMeaning
Dirty readread uncommitted data
Non-repeatable readsame row read twice gives different result
Phantom readsame query returns different rows

Isolation levels:

@Transactional(isolation = Isolation.READ_COMMITTED)

Read-only:

@Transactional(readOnly = true)

Exam traps

  • Isolation support depends on the database.
  • readOnly = true is an optimization hint.
  • It does not always strictly prevent writes at the database level.

Week 6 Review Checklist

You must know:

  • ACID
  • transaction boundary
  • @Transactional
  • rollback rules
  • checked vs unchecked exceptions
  • propagation
  • isolation
  • read-only transactions
  • self-invocation problem
  • transaction proxies

Week 7 — AOP and Proxies

Goal

Understand Spring AOP and why proxies are central to transactions, security, and method interception.


Day 1 — AOP Mental Model

Learn

AOP means Aspect-Oriented Programming.

It solves cross-cutting concerns:

  • logging
  • security
  • transactions
  • metrics
  • auditing
  • caching

Instead of writing the same code in every method, Spring can apply behavior around method calls.

Vocabulary

TermMeaning
Aspectmodule containing cross-cutting logic
Adviceaction taken by an aspect
Pointcutexpression selecting where advice applies
Join pointpoint in execution, usually method execution
Weavingapplying aspects
Proxywrapper object that intercepts calls

Day 2 — Advice Types

Learn

Advice types:

@Before
@After
@AfterReturning
@AfterThrowing
@Around

Most powerful:

@Around

Example:

@Around("execution(* com.example..*Service.*(..))")
public Object measure(ProceedingJoinPoint pjp) throws Throwable {
long start = System.currentTimeMillis();
try {
return pjp.proceed();
} finally {
long duration = System.currentTimeMillis() - start;
System.out.println("Duration: " + duration);
}
}

Exam traps

  • @Around must call proceed() or the target method will not run.
  • @After runs after method completion, regardless of success or exception.
  • @AfterReturning only runs after successful return.
  • @AfterThrowing only runs when exception is thrown.

Day 3 — Proxies

Learn

Spring often creates a proxy object around your bean.

Caller talks to proxy. Proxy adds behavior. Proxy calls target object.

Controller -> Service Proxy -> Real Service

Used by:

  • @Transactional
  • Spring Security method security
  • caching
  • AOP

Proxy types

Proxy typeUsed when
JDK dynamic proxyinterface-based proxy
CGLIB proxyclass-based proxy

Exam traps

  • Self-invocation bypasses proxy.
  • Final methods/classes can be problematic for proxying.
  • Private methods are not advised by Spring AOP.
  • Spring AOP is proxy-based and method-execution focused.

Day 4 — AOP vs Filters vs Interceptors

Compare

MechanismLayer
Servlet Filterbefore request reaches Spring MVC
Spring HandlerInterceptoraround controller handling
AOParound Spring bean method calls

Use cases

NeedTool
authentication filterFilter
request loggingFilter or Interceptor
controller timingInterceptor
service method auditAOP
transaction boundaryAOP proxy

Day 5 — AOP Exam Summary

You must explain

@Transactional works because Spring creates a proxy around the service bean.
When another bean calls the service method, the call goes through the proxy.
The proxy opens a transaction before the method and commits or rolls back after the method.
If the method calls another method in the same class, the call does not go through the proxy.
That is why self-invocation can break transactional behavior.

Week 7 Review Checklist

You must know:

  • AOP
  • aspect
  • advice
  • pointcut
  • join point
  • proxy
  • JDK dynamic proxy
  • CGLIB
  • self-invocation
  • relationship between AOP and transactions

Week 8 — Spring Security

Goal

Understand the security filter chain, authentication, authorization, password encoding, CSRF, CORS, and method security.


Day 1 — Security Mental Model

Learn

Authentication:

Who are you?

Authorization:

What are you allowed to do?

Spring Security works mostly through filters.

Request flow:

HTTP request
-> Security filter chain
-> DispatcherServlet
-> Controller

Exam traps

  • Security happens before controller execution.
  • Spring Security is based on servlet filters for web security.
  • Method security can also protect service methods.

Day 2 — SecurityFilterChain

Learn

Modern Spring Security uses SecurityFilterChain.

Example:

@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/actuator/health").permitAll()
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults())
.build();
}

Exam traps

  • WebSecurityConfigurerAdapter is old style.
  • SecurityFilterChain is current style.
  • Request matchers define authorization rules.

Day 3 — Users, Roles, Authorities

Learn

Important interfaces/classes:

UserDetails
UserDetailsService
GrantedAuthority
PasswordEncoder
Authentication
SecurityContext
SecurityContextHolder

Roles vs authorities

In Spring Security:

ROLE_ADMIN

is an authority.

hasRole("ADMIN") checks for:

ROLE_ADMIN

hasAuthority("ROLE_ADMIN") checks directly.

Exam traps

  • Roles are usually stored as authorities with ROLE_ prefix.
  • Passwords should be encoded, not stored as plain text.
  • BCrypt is commonly used.

Day 4 — CSRF and CORS

CSRF

CSRF protects browser-based session authentication from unwanted state-changing requests.

For stateless REST APIs using tokens, CSRF is often disabled.

But understand the reason, do not just memorize "disable CSRF".

CORS

CORS is a browser security mechanism.

Your React app at:

http://localhost:3000

calling backend at:

http://localhost:8080

is cross-origin.

Spring can configure allowed origins, methods, and headers.

Exam traps

  • CSRF and CORS are different.
  • CORS is enforced by browsers.
  • CSRF is about unwanted authenticated actions.
  • Disabling CSRF is common for stateless APIs, not always for session-based apps.

Day 5 — Method Security

Learn

Enable method security:

@EnableMethodSecurity

Use:

@PreAuthorize("hasRole('ADMIN')")
public void deleteTask(Long id) {}

Exam traps

  • Method security also uses proxies.
  • Self-invocation can affect method security.
  • Controller security and method security can be combined.

Week 8 Review Checklist

You must know:

  • authentication
  • authorization
  • filter chain
  • SecurityFilterChain
  • UserDetails
  • UserDetailsService
  • PasswordEncoder
  • BCrypt
  • roles and authorities
  • CSRF
  • CORS
  • method security
  • @PreAuthorize

Week 9 — Testing

Goal

Understand Spring testing annotations and when to use each one.


Day 1 — Testing Pyramid

Learn

Test types:

Test typeSpeedPurpose
Unit testfastestpure Java logic
Slice testfastone Spring layer
Integration testslowerlarger Spring context
End-to-end testslowestwhole system

Exam trap

Do not use @SpringBootTest for everything.


Day 2 — Unit Tests with Mockito

Learn

Use Mockito for service tests without Spring context.

@ExtendWith(MockitoExtension.class)
class TaskServiceTest {

@Mock
TaskRepository taskRepository;

@InjectMocks
TaskService taskService;
}

Exam traps

  • Unit tests do not need Spring.
  • Mockito mocks dependencies.
  • Fast tests are useful for business logic.

Day 3 — MVC Slice Tests

Learn

Use:

@WebMvcTest(TaskController.class)

Usually with:

MockMvc
@MockBean

Example purpose:

  • test request mapping
  • test validation
  • test status codes
  • test JSON response
  • test controller behavior

Exam traps

  • @WebMvcTest does not load full application context.
  • Service beans usually need to be mocked.
  • It focuses on web layer.

Day 4 — JPA Slice Tests

Learn

Use:

@DataJpaTest

Purpose:

  • test repositories
  • test entity mapping
  • test queries
  • test persistence behavior

Exam traps

  • @DataJpaTest loads JPA-related components.
  • It usually uses an embedded database by default unless configured otherwise.
  • Tests are often transactional and roll back after each test.

Day 5 — Full Integration Tests

Learn

Use:

@SpringBootTest

Purpose:

  • load full context
  • test multiple layers together
  • test real configuration
  • test application wiring

Optional:

@AutoConfigureMockMvc

Exam traps

  • @SpringBootTest is heavier.
  • It is useful but should not replace smaller tests.
  • It loads the full application context.

Week 9 Review Checklist

You must know:

  • JUnit 5
  • Mockito
  • @SpringBootTest
  • @WebMvcTest
  • @DataJpaTest
  • MockMvc
  • @MockBean
  • test profiles
  • transaction rollback in tests
  • unit vs integration tests

Week 10 — Actuator, Production Readiness, Final Exam Review

Goal

Understand production-ready features and finish the exam cheat sheet.


Day 1 — Actuator

Learn

Actuator provides production-ready endpoints.

Common endpoints:

/actuator/health
/actuator/info
/actuator/metrics
/actuator/env
/actuator/beans
/actuator/conditions

Configuration

management:
endpoints:
web:
exposure:
include: health,info,metrics

Exam traps

  • Do not expose all endpoints publicly in production.
  • Health endpoint is commonly exposed.
  • Actuator can show conditions and bean information.

Day 2 — Logging

Learn

Spring Boot uses logging abstraction and default logging configuration.

Common levels:

TRACE
DEBUG
INFO
WARN
ERROR

Example:

logging:
level:
org.springframework.security: DEBUG

Exam traps

  • Debug logging can help understand auto-configuration and security.
  • Do not enable too much debug logging in production.

Day 3 — Packaging and Running

Learn

Spring Boot applications can be packaged as executable jars.

Run:

java -jar app.jar

Change profile:

java -jar app.jar --spring.profiles.active=prod

Environment variable:

SPRING_PROFILES_ACTIVE=prod java -jar app.jar

Exam traps

  • Spring Boot uses embedded server by default for web apps.
  • You do not need to deploy a WAR to external Tomcat for common Boot apps.

Day 4 — Final Weak Areas

Review all weak topics:

## Weak Topic

Why I was wrong:

Correct explanation:

Code proof:

Exam trap:

Final memory sentence:

Day 5 — Final Mock Exam Routine

Do a mock exam simulation:

# Mock Exam Log

Date:

Score:

Time used:

Weak areas:

Top 10 wrong questions:

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

Topics to review tomorrow:

Final Exam Cheat Sheet

Spring Core

IoC

IoC means the framework controls object creation and wiring.

Dependency Injection

DI means dependencies are provided from outside, usually by the Spring container.

Bean

A bean is an object managed by Spring.

ApplicationContext

The main Spring container. It manages beans, configuration, events, environment, and lifecycle.

Component Scanning

Spring scans packages for stereotype annotations like @Component, @Service, @Repository, and @Controller.

@Component vs @Bean

  • @Component: annotate your own class.
  • @Bean: create a bean manually in a configuration class.

@Primary vs @Qualifier

  • @Primary: default bean when multiple candidates exist.
  • @Qualifier: choose a specific bean explicitly.

Bean Lifecycle

Order summary:

  1. Instantiate
  2. Inject dependencies
  3. Aware callbacks
  4. BeanPostProcessor before init
  5. Init callbacks
  6. BeanPostProcessor after init
  7. Bean ready
  8. Destroy callbacks

Spring Boot

@SpringBootApplication

Combination of:

@Configuration
@EnableAutoConfiguration
@ComponentScan

Auto-Configuration

Spring Boot creates beans automatically based on classpath, properties, existing beans, and conditions.

Starters

Dependency bundles that simplify Maven/Gradle configuration.


Spring MVC

DispatcherServlet

Front controller that receives requests and dispatches them to controllers.

@RestController

Equivalent to:

@Controller
@ResponseBody

Request Annotations

AnnotationPurpose
@RequestBodyJSON body
@PathVariablepath value
@RequestParamquery parameter
@Validtrigger validation

Data Access

JDBC

Low-level database access API.

JdbcTemplate

Spring helper that reduces JDBC boilerplate.

JPA

Specification for ORM.

Hibernate

Popular JPA implementation.

Spring Data JPA

Creates repository implementations automatically.


Transactions

@Transactional

Creates a transaction around a method using Spring AOP proxy.

Rollback Default

ExceptionRollback
RuntimeExceptionyes
Erroryes
Checked Exceptionno

Propagation

Most important:

  • REQUIRED
  • REQUIRES_NEW
  • MANDATORY
  • NESTED

Self-Invocation

A method inside the same class calling another transactional method bypasses the proxy.


AOP

Aspect

Class containing cross-cutting behavior.

Advice

Action executed at a join point.

Pointcut

Expression selecting where advice applies.

Proxy

Wrapper object used by Spring to add behavior around method calls.


Security

Authentication

Who are you?

Authorization

What are you allowed to do?

SecurityFilterChain

Defines web security rules.

CSRF

Protection against unwanted browser-based authenticated requests.

CORS

Browser mechanism for cross-origin requests.


Testing

@SpringBootTest

Loads full application context.

@WebMvcTest

Loads web layer only.

@DataJpaTest

Loads JPA layer only.

MockMvc

Tests MVC requests without starting a real server.


Actuator

Production-ready endpoints for:

  • health
  • metrics
  • info
  • beans
  • conditions
  • environment

Do not expose all endpoints publicly in production.


Exam-Style Question Bank

Use these questions for active recall.

Spring Core

  1. What is IoC?
  2. What is Dependency Injection?
  3. What is a Spring bean?
  4. What is ApplicationContext?
  5. What is the difference between BeanFactory and ApplicationContext?
  6. What is component scanning?
  7. What does @Component do?
  8. What is the difference between @Component and @Bean?
  9. What is the difference between @Service and @Repository?
  10. Why is constructor injection recommended?
  11. What happens if two beans match one dependency?
  12. What does @Primary do?
  13. What does @Qualifier do?
  14. What is the default bean scope?
  15. What is the difference between singleton and prototype scope?
  16. What is a bean lifecycle callback?
  17. When does @PostConstruct run?
  18. What does BeanPostProcessor do?
  19. What are profiles?
  20. What is the difference between @Value and @ConfigurationProperties?

Spring Boot

  1. What does @SpringBootApplication include?
  2. What is auto-configuration?
  3. What is a starter?
  4. How does Spring Boot decide what to auto-configure?
  5. How can you override an auto-configured bean?
  6. What is @ConditionalOnMissingBean?
  7. What is embedded Tomcat?
  8. What is CommandLineRunner?
  9. What is ApplicationRunner?
  10. How do you enable debug information for auto-configuration?

Spring MVC

  1. What is DispatcherServlet?
  2. What is @RestController?
  3. What is the difference between @Controller and @RestController?
  4. What does @RequestBody do?
  5. What does @PathVariable do?
  6. What does @RequestParam do?
  7. What is ResponseEntity?
  8. What is validation?
  9. Why do we use DTOs?
  10. What does @ControllerAdvice do?

Data Access

  1. What is JDBC?
  2. What does JdbcTemplate do?
  3. What is DataAccessException?
  4. What is JPA?
  5. What is Hibernate?
  6. What is an entity?
  7. What is EntityManager?
  8. What is persistence context?
  9. What is Spring Data JPA?
  10. How do derived query methods work?
  11. What is lazy loading?
  12. What is the N+1 problem?
  13. Why can exposing entities in REST APIs be problematic?

Transactions

  1. What does @Transactional do?
  2. Where should transaction boundaries usually be placed?
  3. Which exceptions trigger rollback by default?
  4. How do you roll back on a checked exception?
  5. What is transaction propagation?
  6. What does REQUIRED mean?
  7. What does REQUIRES_NEW mean?
  8. What does MANDATORY mean?
  9. What is transaction isolation?
  10. What is a dirty read?
  11. What is a non-repeatable read?
  12. What is a phantom read?
  13. What is the self-invocation problem?

AOP

  1. What is AOP?
  2. What is an aspect?
  3. What is advice?
  4. What is a pointcut?
  5. What is a join point?
  6. What does @Around do?
  7. Why must proceed() be called?
  8. What is a proxy?
  9. What is the difference between JDK dynamic proxy and CGLIB proxy?
  10. How is AOP related to @Transactional?

Security

  1. What is authentication?
  2. What is authorization?
  3. What is SecurityFilterChain?
  4. What is UserDetails?
  5. What is UserDetailsService?
  6. What is PasswordEncoder?
  7. What is BCrypt?
  8. What is the difference between role and authority?
  9. What is CSRF?
  10. What is CORS?
  11. When is disabling CSRF reasonable?
  12. What is method security?
  13. What does @PreAuthorize do?

Testing

  1. What is a unit test?
  2. What is an integration test?
  3. What does @SpringBootTest load?
  4. What does @WebMvcTest load?
  5. What does @DataJpaTest load?
  6. What is MockMvc?
  7. What is @MockBean?
  8. Why are slice tests useful?
  9. How do transactions behave in tests?
  10. What is a test profile?
  11. Why should not every test use @SpringBootTest?

Actuator

  1. What is Actuator?
  2. What is /actuator/health?
  3. What is /actuator/metrics?
  4. What is /actuator/conditions?
  5. Why should Actuator endpoints be secured?

Flashcard Template

Use this for Anki or Markdown flashcards.

## Card

Q:

A:

Code example:

Exam trap:

Memory sentence:

Example:

## Card

Q: What does @SpringBootApplication include?

A: It combines @Configuration, @EnableAutoConfiguration, and @ComponentScan.

Code example:

@SpringBootApplication
public class App {}

Exam trap:
Many developers only know that it starts the app, but the exam expects the three internal annotations.

Memory sentence:
Spring Boot starts with configuration, auto-configuration, and component scanning.

Personal Study Rules

  1. Do not only memorize annotations.
  2. Always ask: "What problem does this solve?"
  3. Always ask: "What does Spring do internally?"
  4. Always compare similar annotations.
  5. Always know the default behavior.
  6. Always know how to override the default behavior.
  7. Always know the exam trap.
  8. Always make one tiny code proof.
  9. Always explain the topic in simple words.
  10. Review mistakes more than correct answers.

Final 14-Day Exam Countdown

Day -14

Review Spring Core.

Day -13

Review configuration, profiles, properties, and lifecycle.

Day -12

Review Spring Boot and auto-configuration.

Day -11

Review Spring MVC and REST.

Day -10

Review validation and exception handling.

Day -9

Review JDBC, JPA, Spring Data.

Day -8

Review transactions.

Day -7

Review AOP and proxies.

Day -6

Review Spring Security.

Day -5

Review testing annotations.

Day -4

Review Actuator and production readiness.

Day -3

Mock exam 1 and mistake analysis.

Day -2

Mock exam 2 and weak topic repair.

Day -1

Light review only. No heavy new topics.

Exam Day

Before the exam, review:

  • @SpringBootApplication
  • bean scopes
  • lifecycle
  • @Transactional
  • rollback rules
  • propagation
  • AOP proxy behavior
  • Spring MVC request flow
  • testing annotations
  • security filter chain
  • Actuator security

One-Sentence Memory Bank

Use these sentences for fast review.

  1. Spring manages objects through the IoC container.
  2. A Spring bean is an object created and managed by Spring.
  3. Dependency Injection means dependencies are provided from outside.
  4. Constructor injection is preferred because dependencies are explicit and immutable.
  5. @Component registers a class through scanning.
  6. @Bean registers the return value of a method.
  7. @Repository can enable exception translation.
  8. The default bean scope is singleton.
  9. Spring singleton means one instance per container.
  10. @PostConstruct runs after dependency injection.
  11. @SpringBootApplication combines configuration, auto-configuration, and component scanning.
  12. Auto-configuration depends on classpath, properties, conditions, and existing beans.
  13. Starters are dependency bundles.
  14. DispatcherServlet is the front controller of Spring MVC.
  15. @RestController returns response bodies directly.
  16. @RequestBody maps JSON body to Java object.
  17. @Valid triggers validation.
  18. @ControllerAdvice handles exceptions globally.
  19. JdbcTemplate reduces JDBC boilerplate.
  20. JPA is a specification; Hibernate is an implementation.
  21. Spring Data JPA generates repository implementations.
  22. Transactions belong mostly in the service layer.
  23. Runtime exceptions trigger rollback by default.
  24. Checked exceptions do not trigger rollback by default.
  25. REQUIRES_NEW starts an independent transaction.
  26. Spring AOP is proxy-based.
  27. Self-invocation bypasses Spring proxies.
  28. @Transactional works through a proxy.
  29. Authentication means who you are.
  30. Authorization means what you can do.
  31. Spring Security web protection uses a filter chain.
  32. CSRF and CORS are different problems.
  33. @SpringBootTest loads the full context.
  34. @WebMvcTest tests the web layer.
  35. @DataJpaTest tests the persistence layer.
  36. Actuator provides production-ready monitoring endpoints.

Final Readiness Checklist

Before booking the exam, you should be able to do all of this:

[ ] Explain IoC without notes
[ ] Explain DI without notes
[ ] Explain ApplicationContext without notes
[ ] Compare @Component and @Bean
[ ] Compare @Service and @Repository
[ ] Explain bean scopes
[ ] Explain bean lifecycle
[ ] Explain profiles
[ ] Explain @ConfigurationProperties
[ ] Explain @SpringBootApplication
[ ] Explain auto-configuration
[ ] Explain starters
[ ] Explain conditional annotations
[ ] Explain DispatcherServlet
[ ] Build a REST controller from memory
[ ] Explain DTOs
[ ] Explain validation
[ ] Explain @ControllerAdvice
[ ] Explain JdbcTemplate
[ ] Explain JPA vs Hibernate
[ ] Explain Spring Data repositories
[ ] Explain lazy loading
[ ] Explain @Transactional
[ ] Explain rollback rules
[ ] Explain propagation
[ ] Explain isolation
[ ] Explain self-invocation
[ ] Explain AOP terms
[ ] Explain Spring proxies
[ ] Explain SecurityFilterChain
[ ] Explain authentication vs authorization
[ ] Explain CSRF
[ ] Explain CORS
[ ] Explain method security
[ ] Explain @SpringBootTest
[ ] Explain @WebMvcTest
[ ] Explain @DataJpaTest
[ ] Explain MockMvc
[ ] Explain Actuator
[ ] Score consistently well on mock exams

Recommended Next Step

Start with this file:

01-spring-core-notes.md

And write your own answers to these five questions:

  1. What problem does Spring solve?
  2. What is IoC?
  3. What is Dependency Injection?
  4. What is a bean?
  5. What happens when a Spring Boot application starts?

Do not copy answers from a tutorial. Write them in your own words.

When you can explain those five clearly, move to Week 1 Day 2.