cobol-java-v3/.claude/skills/code-review/references/java-spring.md

Java Spring Boot Review Checklist

Extends the generic checklist with Java/Spring-specific items.

Interface Layer (Spring MVC)

• @RestController methods have @Valid on request bodies
• Custom validators implement ConstraintValidator correctly
• @ExceptionHandler or @ControllerAdvice for global error handling
• @ResponseStatus used appropriately on custom exceptions
• DTOs use records or Lombok @Data — not exposing entities directly
• @RequestMapping produces/consumes specified

Business Layer (Spring Service)

• @Transactional on service methods that modify multiple tables
• @Transactional(rollbackFor = Exception.class) — not just RuntimeException
• Transaction propagation set correctly (REQUIRED vs REQUIRES_NEW)
• No @Transactional on private methods (proxy limitation)

Data Layer (Spring Data JPA / MyBatis)

• JPA: @Entity classes have proper equals() and hashCode()
• JPA: No eager fetching on @ManyToOne without explicit need
• JPA: @Query with nativeQuery=false by default (prevent SQL injection)
• MyBatis: All SQL uses #{} not ${} for user input
• Connection pool settings reviewed (HikariCP defaults usually fine)

Error Handling

• Checked exceptions either handled or declared
• try-with-resources for AutoCloseable resources
• No catch (Exception e) { e.printStackTrace(); } — use logger instead

Security (Spring Security)

• SecurityFilterChain configured correctly
• CSRF protection enabled for state-changing endpoints
• @PreAuthorize or @Secured on protected methods
• Password encoding uses BCryptPasswordEncoder or better
• No secrets in application.properties — use env vars or vault

Performance

• @Async used for non-blocking operations with proper thread pool config
• @Cacheable with TTL and eviction strategy
• JPA: @BatchSize or batch insert for bulk operations
• RestTemplate/WebClient timeouts configured