Project Oxygen & Ideo-LabIDEO LAB Dashboard 2026

đŸŒ± Spring – Core, Boot, Data, Security, Cloud, Observability

Guide IDEO-Lab : Spring “en production” (IoC, Boot autoconfig, REST, Data, Security, transactions, tests, perf, cloud-native).

1.1

Vue d’ensemble Spring

Écosystùme, modules, philosophie : conventions, DI, layering.

CoreEcosystemDI
1.2

IoC / DI & Bean Lifecycle

Container, scopes, proxies, lifecycle hooks, profiles.

IoCBeanProfiles
1.3

Spring Boot

Autoconfiguration, starters, properties, actuators, packaging.

BootAutoconfigActuator
2.1

Spring Web / REST

@RestController, validation, errors, OpenAPI, versioning API.

MVCRESTValidation
2.2

Spring Data

Repositories, JPA, paging, specs, transactions, auditing.

DataJPARepository
2.3

Transactions & Cohérence

@Transactional, propagation, isolation, read-only, piĂšges proxy.

TXPropagationIsolation
3.1

Spring Security

AuthN/AuthZ, filters, JWT, sessions, CSRF, method security.

SecurityAuthJWT
3.2

Configuration

application.yml, profiles, secrets, config server, feature flags.

ConfigProfilesSecrets
3.3

Observability

Actuator, metrics, tracing, logs corrélés, health checks.

ActuatorMetricsTracing
4.1

Tests

@SpringBootTest, slices, Testcontainers, MockMvc/WebTestClient.

JUnitTestcontainersSlices
4.2

Performance & Scalabilité

N+1, cache, pooling, async, backpressure, tuning GC.

PerfN+1Pooling
4.3

Spring Cloud

Config, discovery, gateway, resilience, distributed patterns.

CloudGatewayResilience
5.1

Cheat-sheet Spring

Rappels express : DI, REST, Data, Security, Actuator, tests.

cheatbest practices
1.1 Vue d’ensemble Spring
Spring = framework + conventions

Spring est un Ă©cosystĂšme : le cƓur (IoC/DI) + des modules (Web, Data, Security, Messaging
). L’objectif : construire des applications testables, maintenables, observables.

IdĂ©e centrale : le code dĂ©pend d’interfaces (contrats), et le container injecte l’implĂ©mentation au runtime (DI).
Pipeline “request → business → DB”
HTTP request
  -> Controller
  -> Service (transaction boundary)
  -> Repository
  -> Database
  <- Response

Les erreurs classiques viennent d’une frontiĂšre TX mal placĂ©e + un fetch JPA non maĂźtrisĂ©.

Modules fréquents
ModuleUsageÀ retenir
Spring CoreDI / containerScopes, proxies, lifecycle
Spring BootAutoconfigStarters + properties + Actuator
Spring WebREST/MVCValidation + exceptions + OpenAPI
Spring DataRepositoriesPaging/specs + transactions
Spring SecurityAuthFilter chain + method security
Spring CloudDistributedGateway + config + resilience
Architecture “production-friendly”
  • Layering : Controller → Service → Repository.
  • DTO en API (Ă©viter d’exposer directement des entitĂ©s JPA).
  • Observability : metrics + traces + logs corrĂ©lĂ©s + health checks.
  • Configuration : profiles + secrets + validation.
  • Tests : slices + Testcontainers pour les composants critiques.
1.2 IoC / DI & Bean Lifecycle
Constructor injection (recommandé)
// English-only sample
@Service
public class BillingService {
  private final PaymentGateway gateway;

  public BillingService(PaymentGateway gateway) {
    this.gateway = gateway;
  }
}

Constructor injection = immutabilité + testabilité + dépendances explicites.

Qualifier / primary
// English-only sample
@Bean
@Primary
public PaymentGateway stripeGateway() { return new StripeGateway(); }

@Bean
public PaymentGateway mockGateway() { return new MockGateway(); }

Quand plusieurs beans matchent une interface : @Primary, @Qualifier, ou @Profile.

Scopes (l’essentiel)
ScopeDuréeUsage
singleton1 par containerservices stateless
prototypenouvelle instanceobjets stateful court
requestpar requĂȘte HTTPweb context
sessionpar sessionrare en API stateless
Attention : scopes web impliquent souvent des proxies. Comprendre les proxies Ă©vite 80% des surprises.
Bean lifecycle (hooks utiles)
// English-only sample
@Bean(initMethod = "start", destroyMethod = "stop")
public Worker worker() { return new Worker(); }

@PostConstruct
public void init() { /* init */ }

@PreDestroy
public void shutdown() { /* cleanup */ }

En prod : préférer des composants stateless + ressources explicites (DataSource, HTTP client).

1.3 Spring Boot – Autoconfiguration, Starters, Actuator
Ce que Boot fait (et ne fait pas)
  • Autoconfigure selon le classpath + properties.
  • Fournit des Starters (dĂ©pendances cohĂ©rentes).
  • Expose Actuator pour santĂ©/metrics.
  • Ne remplace pas l’architecture : TX, fetch, sĂ©curitĂ© restent ton job.
Main minimal
// English-only sample
@SpringBootApplication
public class App {
  public static void main(String[] args) {
    SpringApplication.run(App.class, args);
  }
}
Debug autoconfig (indispensable)
# English-only sample
debug=true

Le “condition evaluation report” explique pourquoi un bean a Ă©tĂ© crĂ©Ă© (ou non).

application.yml : pattern sain
# English-only sample
spring:
  application:
    name: demo
  datasource:
    url: jdbc:postgresql://db:5432/app
    username: app
    password: ${DB_PASSWORD}
  jpa:
    hibernate:
      ddl-auto: validate
    open-in-view: false

management:
  endpoints:
    web:
      exposure:
        include: health,info,metrics,prometheus
Reco : open-in-view: false pour Ă©viter le lazy loading en dehors du scope service/TX.
Actuator : endpoints essentiels
EndpointUsageNote sécu
/actuator/healthreadiness/livenessexposer sanitized
/actuator/metricsKPIslimiter
/actuator/prometheusscrapingauth/network
/actuator/envdebug configsouvent à désactiver
# English-only sample
management.endpoint.health.probes.enabled=true
management.endpoint.health.show-details=never
2.1 Spring Web / REST – Controllers, Validation, Errors, OpenAPI
REST minimal (DTO)
// English-only sample
@RestController
@RequestMapping("/api/customers")
public class CustomerController {
  private final CustomerService service;

  public CustomerController(CustomerService service) {
    this.service = service;
  }

  @GetMapping("/{id}")
  public CustomerDto get(@PathVariable long id) {
    return service.getCustomer(id);
  }
}
API versioning (reco)
  • Version dans l’URL (/v1/) ou header.
  • DTO versionnĂ©s (ne pas “casser” les clients).
  • Backwards compatibility + deprecation policy.
Reco : Controller reste “thin”. La logique va dans Service.
Bean Validation sur DTO
// English-only sample
public record CreateCustomerRequest(
  @NotBlank @Size(max = 120) String name,
  @Email @NotBlank String email
) {}

@PostMapping
public CustomerDto create(@Valid @RequestBody CreateCustomerRequest req) {
  return service.createCustomer(req);
}

Valider cÎté API + contraintes DB (unique, not null) = robustesse.

Exception mapping propre
// English-only sample
@RestControllerAdvice
public class ApiErrors {
  @ExceptionHandler(NotFoundException.class)
  @ResponseStatus(HttpStatus.NOT_FOUND)
  public Map notFound(NotFoundException e) {
    return Map.of("error", "NOT_FOUND", "message", e.getMessage());
  }
}

Standardiser les erreurs = meilleure observabilité + intégration clients.

2.2 Spring Data – Repositories, Paging, Specs, Auditing
Repository minimal
// English-only sample
public interface CustomerRepository extends JpaRepository {
  Optional findByEmail(String email);
}

Top pour CRUD. Sur les cas complexes : @Query, Specifications, ou Querydsl.

Auditing (timestamps)
// English-only sample
@EntityListeners(AuditingEntityListener.class)
@Entity
public class Customer {
  @CreatedDate private Instant createdAt;
  @LastModifiedDate private Instant updatedAt;
}

Pense aussi aux triggers DB si la donnĂ©e doit ĂȘtre “source of truth” cĂŽtĂ© DB.

Pagination + sorting
// English-only sample
Page page = repo.findAll(PageRequest.of(0, 50, Sort.by("name").ascending()));
Specifications (filtres dynamiques)
// English-only sample
public static Specification hasStatus(String status) {
  return (root, query, cb) -> cb.equal(root.get("status"), status);
}
N+1 : le vrai sujet Data/JPA
  • Ne pas exposer les entitĂ©s directement en API.
  • PrĂ©fĂ©rer DTO projections / fetch plan explicite.
  • DĂ©sactiver Open Session In View (Boot) et charger ce qui est nĂ©cessaire dans la TX.
# English-only sample
spring.jpa.open-in-view=false
2.3 Transactions – @Transactional, propagation, isolation, piùges proxy
TX au niveau Service
// English-only sample
@Service
public class OrderService {
  private final OrderRepository repo;

  public OrderService(OrderRepository repo) { this.repo = repo; }

  @Transactional
  public OrderDto placeOrder(CreateOrderRequest req) {
    Order o = new Order();
    // build aggregate
    repo.save(o);
    return map(o);
  }
}
Isolation & locks

L’isolation est DB-level. Spring te permet de dĂ©clarer l’intention, mais le SGBD dĂ©cide du comportement rĂ©el.

// English-only sample
@Transactional(isolation = Isolation.READ_COMMITTED)
Hot rows : combine optimistic locking + retries; lock pessimiste seulement si nécessaire.
Propagation : usage typique
PropagationIdĂ©eCas d’usage
REQUIREDjoin or createpar défaut
REQUIRES_NEWnew TXaudit/outbox, Ă©viter rollback global
SUPPORTSoptionallecture, utilitaires
// English-only sample
@Transactional(propagation = Propagation.REQUIRES_NEW)
public void writeAudit(AuditEvent e) { /* ... */ }
PiÚges fréquents
  • Self-invocation : un appel interne n’active pas le proxy → pas de TX.
  • Read-only : hint, pas un “no-write firewall”.
  • Large TX : locks longs + timeouts + mĂ©moire (persistence context).
RÚgle : TX courte + endpoints idempotents + retry ciblé sur collisions/concurrency.
3.1 Spring Security – Filter chain, JWT, CSRF, Method Security
La “filter chain” = le cƓur

Spring Security applique une chaüne de filtres avant d’atteindre tes controllers : authentification, autorisation, gestion session, CSRF, headers, etc.

// English-only sample
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
  return http
    .csrf(csrf -> csrf.disable())
    .authorizeHttpRequests(auth -> auth
      .requestMatchers("/actuator/health").permitAll()
      .anyRequest().authenticated()
    )
    .build();
}
JWT (API stateless) – pattern
  • Issuer, audience, expiration, rotation keys.
  • Scopes/roles normalisĂ©s.
  • Reject tokens on clock skew too large.
// English-only sample
http
  .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
  .oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()));
Hardening checklist
  • CSRF activĂ© sur apps stateful, dĂ©sactivĂ© uniquement si API stateless maĂźtrisĂ©e.
  • Headers : CSP, HSTS, X-Content-Type-Options.
  • Limiter l’exposition Actuator (auth + rĂ©seau).
  • Logs d’auth : corrĂ©lation request_id + user_id.
Important : sécu = design + ops : rotation secrets, moindre privilÚge, audits, alerting.
3.2 Configuration – Profiles, Secrets, Config Server, Feature Flags
Profiles
# English-only sample
spring.profiles.active=prod
# English-only sample
spring:
  config:
    activate:
      on-profile: prod

SĂ©parer dev/stage/prod et Ă©viter de “toggler” Ă  la main sur des serveurs.

Secrets : rĂšgles simples
  • Jamais en dur dans Git.
  • Variables d’environnement + secret manager (Vault/Cloud provider).
  • Rotation + audit + least privilege.
# English-only sample
spring.datasource.password=${DB_PASSWORD}
Patterns robustes
PatternButNote
ConfigurationPropertiesconfig typedvalidation possible
Feature flagsrolloutobservability + kill switch
Config servercentralizecache + fallback
// English-only sample
@ConfigurationProperties(prefix = "app.billing")
public record BillingProps(int retryMax) {}
3.3 Observability – Metrics, Tracing, Logs, Health
KPIs Ă  monitorer
  • HTTP latency p95/p99, error rate, throughput.
  • DB pool saturation, slow queries, N+1 detection (query count).
  • GC pauses, heap usage, CPU throttling.
# English-only sample
management.endpoints.web.exposure.include=health,metrics,prometheus
Tracing distribué

Objectif : suivre une requĂȘte bout-en-bout via trace_id et corrĂ©ler logs + spans + DB calls.

# English-only sample
logging.pattern.level=%5p [trace=%X{traceId:-} span=%X{spanId:-}]
Readiness / Liveness
# English-only sample
management.endpoint.health.probes.enabled=true
management.health.livenessState.enabled=true
management.health.readinessState.enabled=true
Bonne pratique : readiness doit Ă©chouer si DB/pool down; liveness doit rester stable (Ă©viter restarts en boucle).
4.1 Tests – Slices, Integration, Testcontainers, Web clients
StratĂ©gie test “pro”
NiveauButOutil
Unitlogique pureJUnit + mocks
Slicefocus layer@WebMvcTest, @DataJpaTest
Integrationstack complĂšte@SpringBootTest
DB realSQL/locksTestcontainers
@WebMvcTest
// English-only sample
@WebMvcTest(CustomerController.class)
class CustomerControllerTest {
  @Autowired MockMvc mvc;
  @MockBean CustomerService service;
}
@DataJpaTest
// English-only sample
@DataJpaTest
class CustomerRepositoryTest {
  @Autowired CustomerRepository repo;
}
DB “rĂ©elle” en test
// English-only sample
@Testcontainers
class DbIT {
  @Container static PostgreSQLContainer db = new PostgreSQLContainer<>("postgres:16");
}

Indispensable pour N+1, plans, locks, isolation, migrations.

4.2 Performance – N+1, pools, async, caching, GC
La perf Spring = souvent la perf DB
  • N+1 → requĂȘtes multipliĂ©es, latence.
  • Indexes manquants → full scans.
  • Transactions trop longues → contention.
Workflow : mesurer → extraire SQL rĂ©el → EXPLAIN → corriger fetch/queries/index → re-mesurer.
Connection pool (Hikari) : points clés
  • pool trop petit → timeouts / queueing.
  • pool trop grand → surcharge DB.
  • mesurer active/idle, wait time, saturation.
# English-only sample
spring.datasource.hikari.maximumPoolSize=20
spring.datasource.hikari.connectionTimeout=3000
Cache & async (prudence)
  • Cache uniquement si stratĂ©gie d’invalidation dĂ©finie.
  • Async utile pour I/O (HTTP) mais attention au backpressure.
  • Pour dĂ©bit : limiter concurrency + timeouts + retries.
// English-only sample
@Cacheable("customerById")
public CustomerDto getCustomer(long id) { /* ... */ }

@Async
public CompletableFuture sync() { /* ... */ }
4.3 Spring Cloud – Gateway, Config, Discovery, Resilience
Patterns distribués
  • Config centralisĂ©e + cache local + fallback.
  • Service discovery (ou DNS/K8s service).
  • Central auth (JWT/OIDC) + policy.
  • Rate limiting + circuit breakers.
API Gateway : rĂŽle
  • Auth edge, routing, retries, rate limit, WAF-like.
  • Observability centralisĂ©e (traces, headers).
# English-only sample (concept)
routes:
  - id: api
    uri: http://service
    predicates:
      - Path=/api/**
Resilience
MĂ©canismeButNote
Timeoutbound latencyobligatoire
Retrytransient errorssur idempotent
Circuit breakerstop bleedingévite cascade
Bulkheadlimit concurrencyprotéger pool
Golden rule : retry + timeout sans rate-limit = amplification possible en incident.
5.1 Cheat-sheet Spring (prod-ready)
DI / Boot / Web
// English-only quick notes
Prefer constructor injection
Keep controllers thin
Use DTOs for API
Disable open-in-view in prod
Standardize error responses
Data / TX
// English-only quick notes
@Transactional at service level
Avoid long transactions
Watch N+1 (query count per request)
Use paging + DTO projections
Use optimistic locking + retries
Security / Observability
// English-only quick notes
Use stateless JWT for APIs
Lock down actuator endpoints
Enable metrics + tracing + correlated logs
Expose readiness/liveness probes
Config / Tests
// English-only quick notes
Profiles: dev/stage/prod
Secrets via env/secret manager
Slices for fast tests
Testcontainers for real DB behavior