# Java Spring Boot Review Checklist

Extends the generic checklist with Java/Spring-specific items.

## Interface Layer (Spring MVC)

- [ ] `@RestController` methods have `@Valid` on request bodies
- [ ] Custom validators implement `ConstraintValidator` correctly
- [ ] `@ExceptionHandler` or `@ControllerAdvice` for global error handling
- [ ] `@ResponseStatus` used appropriately on custom exceptions
- [ ] DTOs use records or Lombok `@Data` — not exposing entities directly
- [ ] `@RequestMapping` produces/consumes specified

## Business Layer (Spring Service)

- [ ] `@Transactional` on service methods that modify multiple tables
- [ ] `@Transactional(rollbackFor = Exception.class)` — not just RuntimeException
- [ ] Transaction propagation set correctly (REQUIRED vs REQUIRES_NEW)
- [ ] No `@Transactional` on private methods (proxy limitation)

## Data Layer (Spring Data JPA / MyBatis)

- [ ] JPA: `@Entity` classes have proper `equals()` and `hashCode()`
- [ ] JPA: No eager fetching on `@ManyToOne` without explicit need
- [ ] JPA: `@Query` with nativeQuery=false by default (prevent SQL injection)
- [ ] MyBatis: All SQL uses `#{}` not `${}` for user input
- [ ] Connection pool settings reviewed (HikariCP defaults usually fine)

## Error Handling

- [ ] Checked exceptions either handled or declared
- [ ] `try-with-resources` for AutoCloseable resources
- [ ] No `catch (Exception e) { e.printStackTrace(); }` — use logger instead

## Security (Spring Security)

- [ ] `SecurityFilterChain` configured correctly
- [ ] CSRF protection enabled for state-changing endpoints
- [ ] `@PreAuthorize` or `@Secured` on protected methods
- [ ] Password encoding uses `BCryptPasswordEncoder` or better
- [ ] No secrets in `application.properties` — use env vars or vault

## Performance

- [ ] `@Async` used for non-blocking operations with proper thread pool config
- [ ] `@Cacheable` with TTL and eviction strategy
- [ ] JPA: `@BatchSize` or batch insert for bulk operations
- [ ] RestTemplate/WebClient timeouts configured