ARTICLE AD BOX
Level 01 — Strong Junior:
Language Syntax & OOP
Java syntax — primitives, operators, control flow (if/else, for, while, switch), arrays, strings
OOP fundamentals — classes, objects, constructors, methods, fields, access modifiers (public/private/protected)
Inheritance & Polymorphism — extends, super, method overriding and overloading, instanceof, abstract classes
Interfaces — implementing multiple interfaces, default methods (Java 8+), difference between abstract class and interface
Encapsulation — getters/setters, information hiding, immutability basics (final fields)
Core Java Library
Collections Framework — ArrayList, LinkedList, HashMap, HashSet, TreeMap, LinkedHashMap; when to use which
Exception handling — try/catch/finally, checked vs unchecked exceptions, creating custom exceptions
String manipulation — String, StringBuilder, StringBuffer, common methods, String.format()
Java 8+ essentials — Lambda expressions, functional interfaces, Stream API basics (filter, map, collect, reduce), Optional
I/O basics — File reading/writing, BufferedReader, Scanner, basic serialization concept
Java 17+IntelliJ IDEAJDK setupjava.util.*java.io.*
→Use IntelliJ IDEA from day one. Practice every concept by writing runnable code — not just reading. Solve small exercises: FizzBuzz, reverse a string, find duplicates in a list.
Git fundamentals — init, clone, add, commit, push, pull, status, log, diff; understanding the staging area
Branching & merging — branch, checkout, merge, rebase basics; resolving merge conflicts
GitHub / GitLab workflow — pull requests, code review basics, .gitignore, README
Maven — pom.xml structure, dependencies, plugins, build lifecycle (clean, compile, test, package, install)
Gradle basics — build.gradle, tasks, dependencies; know how it differs from Maven
GitGitHubMavenGradle
★This is a key milestone. Start SQL at month 3, in parallel with learning Linux basics (Phase 4). Both take about 4 weeks each.
SQL basics — SELECT, INSERT, UPDATE, DELETE; WHERE, ORDER BY, GROUP BY, HAVING, LIMIT/OFFSET
Joins — INNER JOIN, LEFT/RIGHT/FULL OUTER JOIN, self-joins; understand when to use each
Database design basics — tables, primary keys, foreign keys, indexes basics, 1NF/2NF/3NF normalization concepts
Transactions basics — COMMIT, ROLLBACK, basic ACID understanding (this will go deeper at level 2)
PostgreSQL setup — install, psql CLI, pgAdmin; learn to create a database, users, and run queries
PostgreSQLSQLpgAdminDBeaver
★Learn Linux at month 3, at the same time as SQL. You don't need to master it — but you must be comfortable in the terminal to work professionally.
Filesystem navigation — cd, ls, pwd, mkdir, rm, cp, mv, find, cat, less, head, tail, grep, tree
File permissions — chmod, chown, understanding rwx, sudo, users and groups basics
Process management — ps, kill, top/htop, background jobs (&, fg, bg), nohup
Networking basics — curl, wget, ping, netstat, ss, ports concept; reading /etc/hosts
Shell basics — bash scripting fundamentals: variables, loops, conditionals, pipes, redirects (>, >>, |), environment variables
Text editors — vim basics (modes, save, quit) and nano; you must be able to edit files on a remote server
Ubuntu/DebianBashTerminalSSH
→You are about to build REST APIs with Spring Boot. Before that, you must understand how the web actually works end-to-end — what happens when a browser makes a request, how HTTPS encrypts it, what DNS resolves, and what a frontend actually is. This phase takes 2–3 weeks and pays dividends forever.
HTTP Protocol
HTTP request/response cycle — client sends a request (method + URL + headers + optional body); server returns a response (status code + headers + body); understand what happens at each step
HTTP methods & semantics — GET (read, idempotent, no body), POST (create, not idempotent), PUT (full replace, idempotent), PATCH (partial update), DELETE (remove, idempotent); why method choice matters for API design
HTTP status codes — 1xx (informational), 2xx (success: 200 OK, 201 Created, 204 No Content), 3xx (redirection: 301, 302, 304), 4xx (client errors: 400, 401, 403, 404, 409, 422), 5xx (server errors: 500, 502, 503)
HTTP headers — Content-Type, Accept, Authorization, Cache-Control, Cookie/Set-Cookie, CORS headers (Access-Control-Allow-Origin), X-Request-ID; how Spring reads and writes headers
HTTP/1.1 vs HTTP/2 vs HTTP/3 — connection reuse and keep-alive (HTTP/1.1), multiplexing and header compression (HTTP/2), QUIC transport (HTTP/3); know when your Spring app uses each and why it matters for performance
Cookies & sessions — how cookies work (Set-Cookie header, browser storage, sent on every request); session-based vs token-based auth; SameSite, HttpOnly, Secure cookie flags
HTTPS & TLS
TLS handshake — asymmetric key exchange (server's public key in certificate), symmetric session key negotiation; TLS 1.2 vs TLS 1.3 differences; why HTTP is plain text and HTTPS is not
SSL/TLS certificates — X.509 certificate structure, certificate authorities (CA), certificate chains, self-signed vs CA-signed; configuring HTTPS in Spring Boot (server.ssl.* properties); Let's Encrypt basics
HSTS & certificate pinning — HTTP Strict Transport Security header (forces HTTPS after first visit); why mixed content (HTTP resources on HTTPS page) is dangerous; configuring HSTS in Spring Security
How the Web Works
DNS resolution — what happens when you type a URL: browser cache → OS cache → recursive resolver → root nameserver → TLD → authoritative nameserver; A records, CNAME records, TTL; why this matters for microservices service discovery
IP, TCP, ports — IPv4/IPv6 addressing, TCP three-way handshake (SYN/SYN-ACK/ACK), ports (well-known: 80 HTTP, 443 HTTPS, 5432 PostgreSQL, 6379 Redis); localhost vs 0.0.0.0; how Spring Boot binds to a port
Load balancers & proxies — what a reverse proxy does (Nginx, HAProxy); X-Forwarded-For header; load balancing algorithms (round-robin, least connections); why Spring Boot apps sit behind a proxy in production
CDN basics — Content Delivery Network: edge nodes, origin pull, caching static assets, cache-control headers; when your backend API is NOT behind a CDN and when it is (API gateway caching)
Frontend Basics (Enough to Work with Frontend Devs)
HTML & CSS fundamentals — document structure, semantic HTML (nav, main, article, section), CSS selectors, the box model; you do not need to build UIs but you must read and understand frontend code
JavaScript essentials — variables (let/const), functions, arrow functions, promises, async/await; fetch API for making HTTP calls; JSON.parse() / JSON.stringify(); event loop concept (why JS is single-threaded)
How browsers make API calls — fetch() / XMLHttpRequest lifecycle; CORS (Cross-Origin Resource Sharing): why the browser blocks cross-origin requests, preflight OPTIONS request, how to configure @CrossOrigin and CorsConfigurationSource in Spring
Single-page applications (SPA) vs server-rendered — React/Vue/Angular fetch data from your Spring Boot REST API; understand what the frontend expects (JSON shape, status codes, error formats); vs Thymeleaf server-side rendering if building a full-stack Spring app
Browser DevTools — Network tab: inspect real HTTP requests/responses, headers, timing, payloads; Console tab: JavaScript errors; essential for debugging API integration issues with frontend teams
HTTP/1.1HTTP/2TLS 1.3DNSCORSfetch APIBrowser DevToolsNginx basics
Spring Core Concepts
Spring IoC & DI — ApplicationContext, @Component, @Service, @Repository, @Controller, @Autowired, @Bean, @Configuration; constructor injection vs field injection
Spring Boot auto-configuration — @SpringBootApplication, starter dependencies, application.properties / application.yml, profiles (@Profile, spring.profiles.active)
REST APIs with Spring MVC
Controllers — @RestController, @RequestMapping, @GetMapping, @PostMapping, @PutMapping, @DeleteMapping, @PathVariable, @RequestParam, @RequestBody
Response handling — ResponseEntity, HTTP status codes, @ResponseStatus, global exception handler with @ControllerAdvice + @ExceptionHandler
Validation — @Valid, Bean Validation annotations (@NotNull, @Size, @Email, etc.), custom validators
REST design basics — RESTful resource naming conventions, HTTP verbs semantics, JSON request/response, versioning strategies
Spring Data JPA
Entities & repositories — @Entity, @Table, @Id, @GeneratedValue, @Column; JpaRepository, CrudRepository; derived query methods
Relationships — @OneToMany, @ManyToOne, @OneToOne, @ManyToMany; FetchType.LAZY vs EAGER; Cascade types
Custom queries — @Query with JPQL and native SQL, @Modifying for updates/deletes, Pageable for pagination
Transactions basics — @Transactional, propagation levels (REQUIRED, REQUIRES_NEW), rollback rules
Basic Spring Security
Security configuration — SecurityFilterChain, HttpSecurity, permitAll vs authenticated, basic form login, HTTP Basic authentication
UserDetailsService — loading users from DB, password encoding with BCrypt, roles and authorities
Spring Boot 3.xSpring MVCSpring Data JPAHibernateSpring SecurityJacksonLombok
★Start DSA at month 5, while learning Spring Boot. Dedicate 45–60 min per day. You need enough to pass coding interviews at junior level. Do NOT try to finish all of DSA before coding Spring — learn both in parallel.
Complexity analysis — Big O notation: O(1), O(n), O(n²), O(log n), O(n log n); time and space complexity; analyzing loops and recursion
Arrays & Strings — two-pointer technique, sliding window, prefix sums, common patterns (duplicates, anagrams, substrings)
Linked Lists — singly/doubly linked list, reversal, fast/slow pointers (cycle detection), merge two lists
Stack & Queue — implementation, monotonic stack, valid parentheses, BFS queue usage basics
HashMap & HashSet patterns — frequency counting, grouping, two-sum pattern; understand Java HashMap's internal bucket structure
Binary search — classic binary search, search in rotated array, finding boundaries
LeetCode EasyLeetCode MediumNeetCode 150
JUnit 5 — @Test, @BeforeEach, @AfterEach, @BeforeAll, @AfterAll, @ParameterizedTest, assertions (assertEquals, assertThrows, assertNotNull)
Mockito — @Mock, @InjectMocks, @Spy, when().thenReturn(), verify(), ArgumentCaptor; mocking dependencies in service layer
Spring Boot Test — @SpringBootTest, @WebMvcTest (controller tests with MockMvc), @DataJpaTest (repository tests), @MockBean
Test principles — unit vs integration tests, test pyramid, code coverage basics, Arrange-Act-Assert pattern, TDD introduction
JUnit 5MockitoMockMvcTestcontainers basics
→You have built and tested a real Spring Boot API. Now you need to know how attackers break it. Learn these vulnerabilities by writing exploits yourself in a local test project — reading theory alone is not enough. Every attack listed here has a Spring-specific defense you must memorise.
Injection Attacks
SQL Injection — how it works (breaking out of string context in raw SQL); why Spring Data JPA + parameterized queries prevent it by default; danger zones: native @Query with string concat, JdbcTemplate misuse, JPQL string building; always use named parameters (:param) or positional (?) — never String.format() into a query
NoSQL Injection — MongoDB operator injection ($where, $gt tricks); Spring Data MongoDB uses safe query derivation but custom aggregation pipelines can be vulnerable
XSS — Cross-Site Scripting
Reflected & Stored XSS — how malicious scripts get injected into responses; Spring Boot REST APIs are less exposed (no server-side HTML rendering) but JSON responses can still feed vulnerable frontends
Defenses — never trust user input echoed back; encode output; set Content-Type: application/json (not text/html); use Content-Security-Policy header; Spring Security headers: .headers().contentSecurityPolicy(...)
Authentication & Access Control Flaws
CSRF — Cross-Site Request Forgery — how forged cross-origin requests exploit cookie-based sessions; Spring Security CSRF protection; when to disable for stateless JWT APIs (and why it's safe to do so)
IDOR — Insecure Direct Object Reference — accessing /api/users/42/orders when you are user 17; always verify that the authenticated principal owns the requested resource; use @PreAuthorize("@ownerCheck.verify(#id, authentication)")
Broken Authentication — weak JWT secrets (never use "secret" or short keys); missing token expiry validation; JWT algorithm confusion (alg:none attack); always validate iss, aud, exp claims; use strong 256-bit secrets or RSA key pairs
Security Misconfigurations & Data Exposure
Sensitive data exposure — never log passwords, tokens, or card numbers; never return password hashes or internal IDs in API responses; use @JsonIgnore or DTOs to control what gets serialized
Security headers — configure Spring Security's HeadersConfigurer: X-Content-Type-Options (nosniff), X-Frame-Options (DENY), Strict-Transport-Security (HSTS), Content-Security-Policy
Mass assignment / Insecure deserialization — never bind request body directly to your @Entity; always use a dedicated DTO; attackers can inject fields like isAdmin=true or id=999 if you use the entity directly in @RequestBody
Dependency vulnerabilities — use OWASP Dependency-Check Maven plugin or Snyk to scan for known CVEs in your pom.xml; keep Spring Boot version up to date
OWASP Top 10Spring Security headers@PreAuthorizeOWASP Dep-CheckSnykCSRFIDOR
Docker basics — what is a container vs VM; docker pull, run, stop, ps, logs, exec; writing a basic Dockerfile for a Spring Boot app; docker build and push
Docker Compose basics — running your Spring Boot app + PostgreSQL together with docker-compose.yml; environment variables, volumes
OpenAPI / Swagger — springdoc-openapi, @Operation, @ApiResponse, Swagger UI; documenting your REST APIs properly
REST Client tools — Postman or Insomnia for testing APIs, RestTemplate basics, or WebClient basics for HTTP calls from Spring
DockerDocker ComposeSwagger UIPostmanRestTemplate
----------------------------------------
Level 02 — Intermediate:
Concurrency & Multithreading
Thread lifecycle
Synchronization
java.util.concurrent
Concurrent collections
Locks
JVM Internals
Memory model
Garbage collection
Class loading
JVM flags
Advanced Language Features
Generics deep dive
Reflection & Annotations
Modern Java features
Design patterns
Advanced SQL
Indexes
Transactions deep dive
Connection pooling
Flyway / Liquibase
Redis basics
Spring Security — JWT
Spring AOP
Spring Events
Spring Batch basics
Scheduling
WebFlux intro
Messaging concepts
RabbitMQ
Apache Kafka basics
Trees
Graphs
Heap / Priority Queue
Dynamic programming
Recursion & Backtracking
CI/CD pipelines
Docker advanced
Logging
Spring Boot Actuator
ELK Stack basics
Spring AI Core
Spring AI framework overview
ChatClient API
PromptTemplate
Structured output
RAG — Retrieval Augmented Generation
Embeddings & Vector stores
RAG pipeline
ETL pipeline (DocumentReader)
Tool Calling & Agentic Patterns
Function / Tool calling
Chat memory & conversation history
Local models with Ollama
**-------------------------------------------
Level 03 — Senior Developer:**
Microservices principles
Spring Cloud
Inter-service communication
Resilience patterns
Distributed transactions
API Gateway patterns
Kafka internals
Kafka production patterns
Kafka Streams
CQRS pattern
Event Sourcing
OAuth2 deep dive
OpenID Connect
Spring Authorization Server
Security best practices
Stripe integration
PayPal / Braintree
Idempotency in payments
Webhook handling
PCI-DSS basics
Transaction integrity
Performance profiling
JVM tuning
Database performance
Caching strategies
Load testing
Kubernetes core
Helm
Cloud platform (AWS or GCP)
Prometheus + Grafana
Distributed tracing
Advanced graph algorithms
Advanced DP patterns
Trie & Segment Tree
System Design DSA
-----------------------------------------------
**Level 04 — Software Architect: **
Architecture styles
Architecture quality attributes
CAP theorem & distributed systems
API design at scale
Architecture Decision Records
Strategic DDD
Tactical DDD
DDD + microservices
Event storming
Enterprise Integration Patterns
Data architecture patterns
Polyglot persistence
CQRS + Event Sourcing at scale
Cloud-native design
High availability design
Service mesh
Infrastructure as Code
Serverless architecture
Architecture governance
ArchUnit
Cross-cutting concerns design
Evolutionary architecture
Communication & leadership
ArchUnitStrangler FigFeature FlagsLaunchDarklyRFC Process
