Springboot Patterns

1---2name: springboot-patterns3description: Spring Boot architecture patterns, REST API design, layered services, data access, caching, async processing, and logging. Use for Java Spring Boot backend work.4origin: ECC5---6 7# Spring Boot Development Patterns8 9Spring Boot architecture and API patterns for scalable, production-grade services.10 11## When to Activate12 13- Building REST APIs with Spring MVC or WebFlux14- Structuring controller → service → repository layers15- Configuring Spring Data JPA, caching, or async processing16- Adding validation, exception handling, or pagination17- Setting up profiles for dev/staging/production environments18- Implementing event-driven patterns with Spring Events or Kafka19 20## REST API Structure21 22```java23@RestController24@RequestMapping("/api/markets")25@Validated26class MarketController {27  private final MarketService marketService;28 29  MarketController(MarketService marketService) {30    this.marketService = marketService;31  }32 33  @GetMapping34  ResponseEntity<Page<MarketResponse>> list(35      @RequestParam(defaultValue = "0") int page,36      @RequestParam(defaultValue = "20") int size) {37    Page<Market> markets = marketService.list(PageRequest.of(page, size));38    return ResponseEntity.ok(markets.map(MarketResponse::from));39  }40 41  @PostMapping42  ResponseEntity<MarketResponse> create(@Valid @RequestBody CreateMarketRequest request) {43    Market market = marketService.create(request);44    return ResponseEntity.status(HttpStatus.CREATED).body(MarketResponse.from(market));45  }46}47```48 49## Repository Pattern (Spring Data JPA)50 51```java52public interface MarketRepository extends JpaRepository<MarketEntity, Long> {53  @Query("select m from MarketEntity m where m.status = :status order by m.volume desc")54  List<MarketEntity> findActive(@Param("status") MarketStatus status, Pageable pageable);55}56```57 58## Service Layer with Transactions59 60```java61@Service62public class MarketService {63  private final MarketRepository repo;64 65  public MarketService(MarketRepository repo) {66    this.repo = repo;67  }68 69  @Transactional70  public Market create(CreateMarketRequest request) {71    MarketEntity entity = MarketEntity.from(request);72    MarketEntity saved = repo.save(entity);73    return Market.from(saved);74  }75}76```77 78## DTOs and Validation79 80```java81public record CreateMarketRequest(82    @NotBlank @Size(max = 200) String name,83    @NotBlank @Size(max = 2000) String description,84    @NotNull @FutureOrPresent Instant endDate,85    @NotEmpty List<@NotBlank String> categories) {}86 87public record MarketResponse(Long id, String name, MarketStatus status) {88  static MarketResponse from(Market market) {89    return new MarketResponse(market.id(), market.name(), market.status());90  }91}92```93 94## Exception Handling95 96```java97@ControllerAdvice98class GlobalExceptionHandler {99  @ExceptionHandler(MethodArgumentNotValidException.class)100  ResponseEntity<ApiError> handleValidation(MethodArgumentNotValidException ex) {101    String message = ex.getBindingResult().getFieldErrors().stream()102        .map(e -> e.getField() + ": " + e.getDefaultMessage())103        .collect(Collectors.joining(", "));104    return ResponseEntity.badRequest().body(ApiError.validation(message));105  }106 107  @ExceptionHandler(AccessDeniedException.class)108  ResponseEntity<ApiError> handleAccessDenied() {109    return ResponseEntity.status(HttpStatus.FORBIDDEN).body(ApiError.of("Forbidden"));110  }111 112  @ExceptionHandler(Exception.class)113  ResponseEntity<ApiError> handleGeneric(Exception ex) {114    // Log unexpected errors with stack traces115    return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)116        .body(ApiError.of("Internal server error"));117  }118}119```120 121## Caching122 123Requires `@EnableCaching` on a configuration class.124 125```java126@Service127public class MarketCacheService {128  private final MarketRepository repo;129 130  public MarketCacheService(MarketRepository repo) {131    this.repo = repo;132  }133 134  @Cacheable(value = "market", key = "#id")135  public Market getById(Long id) {136    return repo.findById(id)137        .map(Market::from)138        .orElseThrow(() -> new EntityNotFoundException("Market not found"));139  }140 141  @CacheEvict(value = "market", key = "#id")142  public void evict(Long id) {}143}144```145 146## Async Processing147 148Requires `@EnableAsync` on a configuration class.149 150```java151@Service152public class NotificationService {153  @Async154  public CompletableFuture<Void> sendAsync(Notification notification) {155    // send email/SMS156    return CompletableFuture.completedFuture(null);157  }158}159```160 161## Logging (SLF4J)162 163```java164@Service165public class ReportService {166  private static final Logger log = LoggerFactory.getLogger(ReportService.class);167 168  public Report generate(Long marketId) {169    log.info("generate_report marketId={}", marketId);170    try {171      // logic172    } catch (Exception ex) {173      log.error("generate_report_failed marketId={}", marketId, ex);174      throw ex;175    }176    return new Report();177  }178}179```180 181## Middleware / Filters182 183```java184@Component185public class RequestLoggingFilter extends OncePerRequestFilter {186  private static final Logger log = LoggerFactory.getLogger(RequestLoggingFilter.class);187 188  @Override189  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,190      FilterChain filterChain) throws ServletException, IOException {191    long start = System.currentTimeMillis();192    try {193      filterChain.doFilter(request, response);194    } finally {195      long duration = System.currentTimeMillis() - start;196      log.info("req method={} uri={} status={} durationMs={}",197          request.getMethod(), request.getRequestURI(), response.getStatus(), duration);198    }199  }200}201```202 203## Pagination and Sorting204 205```java206PageRequest page = PageRequest.of(pageNumber, pageSize, Sort.by("createdAt").descending());207Page<Market> results = marketService.list(page);208```209 210## Error-Resilient External Calls211 212```java213public <T> T withRetry(Supplier<T> supplier, int maxRetries) {214  int attempts = 0;215  while (true) {216    try {217      return supplier.get();218    } catch (Exception ex) {219      attempts++;220      if (attempts >= maxRetries) {221        throw ex;222      }223      try {224        Thread.sleep((long) Math.pow(2, attempts) * 100L);225      } catch (InterruptedException ie) {226        Thread.currentThread().interrupt();227        throw ex;228      }229    }230  }231}232```233 234## Rate Limiting (Filter + Bucket4j)235 236**Security Note**: The `X-Forwarded-For` header is untrusted by default because clients can spoof it.237Only use forwarded headers when:2381. Your app is behind a trusted reverse proxy (nginx, AWS ALB, etc.)2392. You have registered `ForwardedHeaderFilter` as a bean2403. You have configured `server.forward-headers-strategy=NATIVE` or `FRAMEWORK` in application properties2414. Your proxy is configured to overwrite (not append to) the `X-Forwarded-For` header242 243When `ForwardedHeaderFilter` is properly configured, `request.getRemoteAddr()` will automatically244return the correct client IP from the forwarded headers. Without this configuration, use245`request.getRemoteAddr()` directly—it returns the immediate connection IP, which is the only246trustworthy value.247 248```java249@Component250public class RateLimitFilter extends OncePerRequestFilter {251  private final Map<String, Bucket> buckets = new ConcurrentHashMap<>();252 253  /*254   * SECURITY: This filter uses request.getRemoteAddr() to identify clients for rate limiting.255   *256   * If your application is behind a reverse proxy (nginx, AWS ALB, etc.), you MUST configure257   * Spring to handle forwarded headers properly for accurate client IP detection:258   *259   * 1. Set server.forward-headers-strategy=NATIVE (for cloud platforms) or FRAMEWORK in260   *    application.properties/yaml261   * 2. If using FRAMEWORK strategy, register ForwardedHeaderFilter:262   *263   *    @Bean264   *    ForwardedHeaderFilter forwardedHeaderFilter() {265   *        return new ForwardedHeaderFilter();266   *    }267   *268   * 3. Ensure your proxy overwrites (not appends) the X-Forwarded-For header to prevent spoofing269   * 4. Configure server.tomcat.remoteip.trusted-proxies or equivalent for your container270   *271   * Without this configuration, request.getRemoteAddr() returns the proxy IP, not the client IP.272   * Do NOT read X-Forwarded-For directly—it is trivially spoofable without trusted proxy handling.273   */274  @Override275  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,276      FilterChain filterChain) throws ServletException, IOException {277    // Use getRemoteAddr() which returns the correct client IP when ForwardedHeaderFilter278    // is configured, or the direct connection IP otherwise. Never trust X-Forwarded-For279    // headers directly without proper proxy configuration.280    String clientIp = request.getRemoteAddr();281 282    Bucket bucket = buckets.computeIfAbsent(clientIp,283        k -> Bucket.builder()284            .addLimit(Bandwidth.classic(100, Refill.greedy(100, Duration.ofMinutes(1))))285            .build());286 287    if (bucket.tryConsume(1)) {288      filterChain.doFilter(request, response);289    } else {290      response.setStatus(HttpStatus.TOO_MANY_REQUESTS.value());291    }292  }293}294```295 296## Background Jobs297 298Use Spring’s `@Scheduled` or integrate with queues (e.g., Kafka, SQS, RabbitMQ). Keep handlers idempotent and observable.299 300## Observability301 302- Structured logging (JSON) via Logback encoder303- Metrics: Micrometer + Prometheus/OTel304- Tracing: Micrometer Tracing with OpenTelemetry or Brave backend305 306## Production Defaults307 308- Prefer constructor injection, avoid field injection309- Enable `spring.mvc.problemdetails.enabled=true` for RFC 7807 errors (Spring Boot 3+)310- Configure HikariCP pool sizes for workload, set timeouts311- Use `@Transactional(readOnly = true)` for queries312- Enforce null-safety via `@NonNull` and `Optional` where appropriate313 314**Remember**: Keep controllers thin, services focused, repositories simple, and errors handled centrally. Optimize for maintainability and testability.