Java EE & Spring Framework
Phase 1: Java EE Fundamentals
1. Why is Java EE recommended for
enterprise-level application development?
(3 marks)
Java EE is recommended because:
- It provides a standardized, modular platform
for developing large-scale, distributed
applications
- Offers built-in support for transaction
management, security, and concurrency
- Includes APIs for common enterprise needs
(JPA for persistence, JMS for messaging, etc.)
- Supports scalability and high availability
through clustering and load balancing
- Has a large ecosystem and community
support
2. Types of containers in Java EE and their
roles (3 marks)
- Web Container: Manages servlets, JSPs, and
web components (e.g., Tomcat)
- EJB Container: Manages Enterprise JavaBeans
(EJBs) for business logic
- Application Client Container: Manages
standalone client applications
- Applet Container: Manages applets (now
largely deprecated)
3. Define a Servlet in Java EE (2 marks)
A Servlet is a Java class that extends server
capabilities to handle HTTP requests and
generate dynamic responses. Servlets run
inside a web container and follow a lifecycle
managed by the container.
4. Purpose and usage of Filters in Java EE (2
marks)
Filters are used to pre-process requests and
post-process responses. Common uses
include:
- Authentication/authorization checks
- Logging and auditing
- Data compression
- Input validation
- CORS handling
Phase 2: JSON and Data Binding
5. What does JSON stand for? (1 mark)
JavaScript Object Notation
6. Two benefits of using JSON for data
exchange (2 marks)
1. Lightweight and human-readable format
2. Language-independent (can be parsed by
most programming languages)
7.1 Define a MIME type (2.5 marks)
MIME (Multipurpose Internet Mail Extensions)
type is a standard that indicates the nature
and format of a document/file. For JSON, the
MIME type is `application/json`.
MIME types are important in APIs to ensure
proper content negotiation between client
and server. The Content-Type header (e.g.,
application/json) tells the receiver how to
interpret the data.
7.2 Suitable JSON implementation for Java
API (2.5 marks)
Jackson library is most suitable because:
- High performance
- Comprehensive feature set
- Good Spring integration
- Active maintenance

Phase 3: Server Configuration and JDBC
8.1 Configuration file that manages servlet
settings in Tomcat (2 marks)
`web.xml` (Deployment Descriptor) in the
WEB-INF directory
9. Java utility to manage DB connections (2
marks)
Apache Commons DBCP (Database Connection
Pool) or HikariCP
10. Comparison with JDBC (2 marks)
- JDBC: Requires manual connection
management, more boilerplate code
- Connection Pool: Manages connections
efficiently, improves performance, reduces
overhead
Phase 4: HTTP and RESTful Concepts
11. Technology to store form data and
populate frontend tables (1 mark)
LocalStorage or SessionStorage in JavaScript
12. HTTP methods mapped to CRUD (4
marks)
- GET → Read
- POST → Create
- PUT → Update (full resource)
- PATCH → Update (partial resource)
- DELETE → Delete
13. Simple request vs Preflight request (3
marks)
- Simple request: Direct request using GET,
POST or HEAD with allowed headers
- Preflight request: OPTIONS request sent
before actual request for CORS, checks if
server allows the actual requestA real-world
example:
Simple request: GET request to fetch data with
standard headers
Preflight: OPTIONS request sent before
DELETE/PUT to check permissions
14. Safe HTTP methods (3.5 marks)
Safe methods don't modify resources: GET,
HEAD, OPTIONS
15. Idempotent methods (3.5 marks)
Idempotent methods produce same result if
called once or multiple times: GET, PUT,
DELETE, HEAD, OPTIONS
Phase 5: CORS and Cross-Domain
Communication
16. Define CORS and Shan's issue (4 marks)
CORS (Cross-Origin Resource Sharing) is a
mechanism that allows restricted resources to
be requested from another domain. Shan
likely encountered a browser blocking
requests from his frontend to a backend on a
different domain due to same-origin policy.
17. How CORS acts as security mechanism
(3 marks)
CORS protects users by:
- Restricting cross-origin requests by default
- Requiring server consent via headers
- Preventing malicious sites from making
unauthorized requests to other domains
18. Step-by-step solution for CORS errors (8
marks)
1. Configure server to include CORS headers
(`Access-Control-Allow-Origin`)
2. For Spring, use `@CrossOrigin` annotation
on controllers
3. Or create a global CORS configuration with
`WebMvcConfigurer`
4. For complex requests, ensure proper
handling of OPTIONS (preflight)
5. Set allowed methods, headers, and
credentials if needed
6. Test with different browsers
7. Consider security implications of permissive
CORS settings
8. For production, specify exact origins rather
than "*"
Phase 6: Spring Core Concepts
19. Why choose Spring Framework? (2
marks)
- Lightweight dependency injection
- Comprehensive programming/configuration
model
- Excellent integration with other technologies
- Strong community and documentation
20. Define a Bean in Spring (3 marks)
A bean is an object that is instantiated,
assembled, and managed by the Spring IoC
container. Beans are defined in configuration
metadata and created based on that
definition.
21. Ways to declare Spring Bean (3 marks)
1. XML configuration (`<bean>` tag)
2. Java configuration (`@Bean` in
`@Configuration` class)
3. Component scanning (`@Component` and
derivatives)
22. Describe annotations (3 marks)
- @Component: Marks a class as Spring
component for auto-detection
- @Configuration: Indicates a class contains
Spring bean definitions
- `@ComponentScan`: Configures component
scanning directives
23. Define Dependency Injection (2 marks)
DI is a design pattern where objects receive
their dependencies from an external source
rather than creating them directly, promoting
loose coupling.
24. Methods for DI in Spring (3 marks)
1. Constructor injection (recommended)
2. Setter injection
3. Field injection (using `@Autowired`)
25. Explain Inversion of Control (2 marks)
IoC is a principle where the control of object
creation and lifecycle is transferred to the
framework (container) rather than being
managed by the objects themselves.
26. Types of ApplicationContexts (5 marks)
1. `ClassPathXmlApplicationContext`: Loads
from XML in classpath
2. `FileSystemXmlApplicationContext`: Loads
from XML in file system
3. `AnnotationConfigApplicationContext`: Uses
Java configuration classes
4. `WebApplicationContext`: For web
applications
5. `AnnotationConfigWebApplicationContext`:
Web version of annotation config
27. Full mode vs Light mode (2 marks)
- Full mode: All beans are eagerly initialized at
startup
- Lite mode: Beans are initialized when needed
(lazy initialization)
28. Concept of AOP (2 marks)
Aspect-Oriented Programming allows
cross-cutting concerns (logging, security,
transactions) to be modularized separately
from business logic and applied declaratively.
29. Bean Ambiguity and resolution (3 Example:
@GetMapping("/api/v1/customer*")
marks)

- `/api/v1/customer` (exact):
Bean ambiguity occurs when multiple beans of
Matches only the exact path
the same type exist. Solutions:
`/api/v1/customer`.
1. `@Primary` to mark preferred bean
2. `@Qualifier` to specify bean name
Example:
3. Use specific bean names in injection points
@GetMapping("/api/v1/customer")

Phase 7: Spring MVC and Web Development - `/api/v1/customer/{value}` (segment variable):

30. Advantages of Spring in controller layer
(3 marks)
- Simplified request mapping with annotations
- Built-in support for content negotiation
- Easy integration with view technologies
Captures dynamic path segments (e.g.,
`/api/v1/customer/123` maps `{value}` to `123`).
Example:
@GetMapping("/api/v1/customer/{id}")
public String getCustomer(@PathVariable("id") String id)
{ ... }

- Powerful validation mechanisms

- Exception handling framework
34. Explain the purpose of: (3 marks)
- `@RestController`:
31. Role of DispatcherServlet (3 marks)
Combines `@Controller` + `@ResponseBody`.
Used in Spring MVC to create RESTful
DispatcherServlet is the front controller that:
controllers that return JSON/XML instead of
1. Receives all HTTP requests
views.
2. Delegates to controllers based on URL
mappings
- `@RequestMapping`:
3. Manages view resolution
Maps HTTP requests to handler methods.
4. Handles exceptions
Can specify path, method (GET/POST),
5. Returns the final response
produces/consumes content types.

32. URL analysis (6 marks)

- `@Service`:
Marks a class as a business service layer
- `http://www.example.com`: Root of
component (Spring stereotype). Enables
example.com with www subdomain
auto-detection during scanning.
- `http://example.com`: Root without
subdomain (may be same or different)
35. Interpret the method and annotations:
- `http://exams.example.com`: Different
(4 marks)
subdomain (may be treated as cross-origin)
@PatchMapping(value = "/{id}", consumes =
"application/json", produces =
33. Identify appropriate mappings for
"application/json")
these: (3 marks)
private void
updateStudent(@PathVariable("id") String id,
- `/api/v1/customer*` (wildcard):
@RequestBody StudentDTO student) {
Matches any path starting with
dataProcess.updateStudent(id, student);
`/api/v1/customer`
}
(e.g., `/api/v1/customer123`).
 - `@PatchMapping`: Handles HTTP PATCH Phase 8: Build Tools
requests to `/somepath/{id}`.
37. Briefly describe `pom.xml` and
- `consumes="application/json"`: Expects `build.gradle`: (3 marks)
JSON input in the request body.
- `pom.xml`:
- `produces="application/json"`: Returns JSON - Used by Maven.
response. - XML-based configuration for dependencies,
plugins, and build lifecycle.
- `@PathVariable`: Extracts `{id}` from the URL. - Structured with `<dependencies>`, `<build>`,
and `<properties>`.
- `@RequestBody`: Binds the JSON payload to
`StudentDTO`. - `build.gradle`:
- Used by Gradle.
- Behavior: Updates a student with the given - Groovy/Kotlin DSL (more concise than XML).
ID using data from the request body. - Uses `dependencies {}`, `plugins {}`, and
task-based configuration.

38. Compare Maven/Gradle with Ant: (5

marks)

Feature Maven/Gradle Ant

Configuration Declarative Procedural (build.xml)

(pom.xml/build.gradle)

Dependency Mgmt Built-in (Maven Central) Manual (no built-in support)

Performance Gradle is faster Slower (re-executes all tasks)

(incremental builds)

Flexibility Convention over Highly flexible (but verbose)

configuration

Learning Curve Easier for standard Steeper (requires scripting)

projects

Phase 9: Spring Data JPA

39. Sachini is building a Spring API with a
relational database.
1. Suggest a built-in Java solution: (1 mark)
JPA (Java Persistence API) with Hibernate as the
implementation.
2. Does Java offer a complete solution? (4
marks)
- Yes, but with limitations:
- JPA provides ORM standard, but needs an
implementation (e.g., Hibernate).
 - Requires additional configuration
(datasource, transactions).
- For complex queries, native SQL or
QueryDSL may be needed.

3. Placeholders in `JpaRepository<?, ?>`: (2

marks)

public interface MyRepository extends

JpaRepository<EntityClass, IdType>

Example:
public interface CustomerRepository extends
JpaRepository<Customer, Long>

40. Define the following: (8 marks)

Term Definition

BasicDataSource Apache Commons DBCP connection pool

implementation (manages DB
connections).

DriverManagerDataSource Simple Spring JDBC datasource (no

pooling, for testing/simple apps).

@Repository Spring stereotype for DAO classes.

Enables exception translation to Spring’s
DataAccessException.

@Transactional Defines transactional boundaries

(methods execute within a database
transaction).

Phase 10: Spring Boot and Testing 2. Notable annotation: (4 marks)

41. Waruna is building a Java API using `@SpringBootApplication`: Combines:

Spring.
1. Recommend the optimal Spring project:
(1 mark)
Spring Boot (simplifies setup with
auto-configuration, embedded servers).
- `@Configuration` (defines beans),
- `@EnableAutoConfiguration` (auto-configures
Spring),
- `@ComponentScan` (auto-discovers
components).
3. Suitable testing method: (1 mark) 46. Claims in a JWT token: (3 marks)

JUnit 5 + `@SpringBootTest` for integration - Registered claims:

tests. Standard fields (`iss`, `exp`, `sub`).

4. Test without affecting real data: (2 - Public claims:

marks) Custom claims (e.g., `roles`).

- Use `@Transactional` (rolls back after test). - Private claims:

- **Testcontainers** (Dockerized DBs).
- **H2 in-memory database** for tests.
Phase 11: Authentication and Authorization
Agreed between parties.
47. HTTP header for JWT: (2 marks)
Authorization: Bearer <token>

42.1. Technical term for login requirement:

(2.5 marks)

Authentication (verifying user identity).

42.2. Kamal’s restricted access vs manager:

(2.5 marks)

Role-Based Access Control (RBAC):

Permissions granted based on roles (e.g.,
`USER` vs `ADMIN`).

Phase 12: JWT and Security

43. What is a JWT token? (2 marks)

A JSON Web Token is a compact, URL-safe

token format for securely transmitting claims
(e.g., user identity) between parties.

44. Main parts of a JWT: (3 marks)

1. Header (algorithm + token type).

2. Payload (claims like `sub`, `exp`).
3. Signature (verifies token integrity).

45. One alternative to JWT: (2 marks)

Opaque tokens (random strings validated via

backend lookup).
48. Definitions: (8 marks)
Term
@PreAuthorize
@PostAuthorize
SecurityContextHolder
UserDetailsService
49. List best practices for using JWT
securely (3 marks)
1.Set short expiration times (use refresh
tokens for long sessions)
2.Always use HTTPS to prevent token
interception
3.Store tokens securely - avoid localStorage
(use HttpOnly cookies for web apps)
4.Validate tokens properly - check signature,
issuer, audience, and expiration
5.Use strong signing keys (HS256 with long
secrets or RS256)
6.Implement token blacklisting for logout
functionality
7.Avoid sensitive data in payload as JWTs are
not encrypted by default
Definition
Checks permissions before method
execution (e.g.,
@PreAuthorize("hasRole('ADMIN')")).
Checks permissions after method
execution (e.g., for return value validation).
Stores the current security context
(authentication + user details).
Loads user data during authentication
(loadUserByUsername()).
50. Recommend a secure password storage
method (2 marks)
Use bcrypt with:
1.A work factor of 10-12 (balance between
security and performance)
2.Automatic salt generation
3.Spring Security's BCryptPasswordEncoder
Why bcrypt?
Specifically designed for password hashing
Slow by design (thwarts brute force)
Handles salting automatically
Adaptive to increasing compute power (work
factor)
Example:
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(12);
}
1. Explain the difference between
`@Controller` and `@RestController` in
Spring. (2 marks)
- `@Controller`: Used for traditional MVC apps
where methods return view names (resolved
to HTML/JSP).
- `@RestController`: Combines `@Controller` +
`@ResponseBody`; methods return data
(JSON/XML) directly, used for REST APIs.
2. What is the purpose of
`@SpringBootTest`? Provide an example. (3
marks)
- Purpose: Used for integration testing in
Spring Boot. Loads the full application context.
- Example:
@SpringBootTest
class CustomerControllerTest {
@Autowired
private MockMvc mockMvc;
@Test
void testGetCustomer() throws Exception {
mockMvc.perform(get("/api/customer/1"))
.andExpect(status().isOk());
}
} Use `@ControllerAdvice`+`@ExceptionHandler`:
3. How does Spring Security handle
authentication? (3 marks)
1. User submits credentials (e.g., login
form/JWT).
2. `AuthenticationManager` validates
credentials using `UserDetailsService`.
3. On success, a `SecurityContext` is created
with the user’s `Authentication` object.
4. What is the difference between `PUT` and
`PATCH` in REST? (2 marks)
- PUT: Replaces the entire resource with the
new representation.
- PATCH: Partially updates specific fields of the
resource.
5. Explain the role of `DispatcherServlet` in
Spring MVC with a diagram. (4 marks)
Role: Front controller that routes requests to
appropriate handlers (controllers).
Flow:
1. Client → `DispatcherServlet` → Handler
Mapping
2. `DispatcherServlet` → Controller → Service
→ DAO
3. Controller → `DispatcherServlet` →
ViewResolver → Client
6. What is Bean Scoping in Spring? List
common scopes. (3 marks)
Defines the lifecycle and visibility of a bean.
Scopes:
- `singleton` (default: one instance per
container)
- `prototype` (new instance each time)
- `request` (per HTTP request)
- `session` (per user session)
7. How would you handle exceptions
globally in Spring Boot? (3 marks)
@ControllerAdvice
public class GlobalExceptionHandler {
@ExceptionHandler(ResourceNotFoundException.class)
public ResponseEntity<String>
handleNotFound(ResourceNotFoundException ex) {
return
ResponseEntity.status(404).body(ex.getMessage());
}
}
8. What is the difference between
`@Component`, `@Service`, and
`@Repository`? (3 marks)
All are stereotypes for auto-detection, but
semantically:
- `@Component`: Generic Spring-managed
bean.
- `@Service`: Business logic layer.
- `@Repository`: Persistence layer (adds
exception translation).
9. Explain the purpose of
`application.properties` in Spring Boot with
2 examples. (3 marks)
The application.properties file in Spring
Boot is used to configure application
settings such as database connections, server
behavior, logging, and more. It allows
developers to externalize configuration
without hardcoding values in Java code.
Centralized configuration file.
Examples:
# Database config
spring.datasource.url=jdbc:h2:mem:testdb
spring.datasource.username=sa
# Server port
server.port=8081
10. What is the difference between
`@Mock` and `@MockBean`? (2 marks)
- `@Mock`: Creates a mock using Mockito
(plain unit tests).
- `@MockBean`: Adds/replaces a Spring
context bean with a mock (used in
`@SpringBootTest`).
11. Draw the architecture of a typical
Spring Boot REST API with layers. (4 marks)
Client → Controller (REST Endpoints) → Service
(Business Logic) → Repository (DB Access) →
Database
↑ ↑
DTOs (Data Transfer Objects) Entities
(JPA)
12. What is @ControllerAdvice in Spring? (2
marks)
A global exception handler for multiple
controllers. Combines @ExceptionHandler
methods to centralize error handling.
Example:
java
@ControllerAdvice
public class GlobalExceptionHandler {
@ExceptionHandler(ResourceNotFoundException.class)
public ResponseEntity<?> handleResourceNotFound() {
return ResponseEntity.notFound().build();
}
}
13. Explain the purpose of the
@Transactional annotation in Spring (3
marks)
@Transactional:
●​Declares that a method or class should be
executed within a database transaction
●​Provides ACID properties (Atomicity,
Consistency, Isolation, Durability)
●​Can be configured with:
Propagation behavior (e.g., REQUIRED,
REQUIRES_NEW)
Isolation level
Timeout
Read-only mode
Rollback rules
 14. What is the purpose of the
DispatcherServlet in Spring MVC? (3 marks)

The DispatcherServlet is:

●​ The front controller in Spring MVC
architecture
●​ Responsible for request processing
workflow:
Receives all incoming HTTP requests
Delegates to controllers via handler mapping
Manages view resolution
Handles exceptions
Returns the final response
●​ Configurable through Java config or XML
●​ Can have multiple instances in one
application

15. What is the difference between

@RequestParam and @PathVariable? (3
marks)

@GetMapping("/users/{id}")
public User getUser(@PathVariable Long id,
@RequestParam(required = false) String details) {
// ...
}

16.what is the @Repository annotation

In Spring Boot, we use the @Repository

annotation to mark a class or interface as part of
the persistence layer. This makes it easy for
Spring to detect and manage it as a bean.

●​ Tells Spring this class is for data access.

●​ Enables automatic database exception
handling.
●​ Works with JpaRepository or custom DAO
classes.

@Repository
public interface StudentRepository extends
JpaRepository<Student, Long> {
List<Student> findByName(String name);
}