SKILL.md
readonlyread-only
name
springboot-patterns
description
Spring Boot 架構模式、REST API 設計、分層服務、資料存取、快取、非同步處理與日誌記錄。適用於 Java Spring Boot 後端開發。
Spring Boot 開發模式
Spring Boot 架構與 API 模式,用於建構可擴展、生產等級的服務。
啟用時機
- 使用 Spring MVC 或 WebFlux 建構 REST API
- 組織 controller → service → repository 分層
- 設定 Spring Data JPA、快取或非同步處理
- 加入驗證、例外處理或分頁
- 設定開發/測試/正式環境的 profile
- 使用 Spring Events 或 Kafka 實作事件驅動模式
REST API 結構
@RestController
@RequestMapping("/api/markets")
@Validated
class MarketController {
private final MarketService marketService;
MarketController(MarketService marketService) {
this.marketService = marketService;
}
@GetMapping
ResponseEntity<Page<MarketResponse>> list(
@RequestParam(defaultValue = "0") int page,
@RequestParam(defaultValue = "20") int size) {
Page<Market> markets = marketService.list(PageRequest.of(page, size));
return ResponseEntity.ok(markets.map(MarketResponse::from));
}
@PostMapping
ResponseEntity<MarketResponse> create(@Valid @RequestBody CreateMarketRequest request) {
Market market = marketService.create(request);
return ResponseEntity.status(HttpStatus.CREATED).body(MarketResponse.from(market));
}
}
Repository 模式 (Spring Data JPA)
public interface MarketRepository extends JpaRepository<MarketEntity, Long> {
@Query("select m from MarketEntity m where m.status = :status order by m.volume desc")
List<MarketEntity> findActive(@Param("status") MarketStatus status, Pageable pageable);
}
服務層與交易
@Service
public class MarketService {
private final MarketRepository repo;
public MarketService(MarketRepository repo) {
this.repo = repo;
}
@Transactional
public Market create(CreateMarketRequest request) {
MarketEntity entity = MarketEntity.from(request);
MarketEntity saved = repo.save(entity);
return Market.from(saved);
}
}
DTO 與驗證
public record CreateMarketRequest(
@NotBlank @Size(max = 200) String name,
@NotBlank @Size(max = 2000) String description,
@NotNull @FutureOrPresent Instant endDate,
@NotEmpty List<@NotBlank String> categories) {}
public record MarketResponse(Long id, String name, MarketStatus status) {
static MarketResponse from(Market market) {
return new MarketResponse(market.id(), market.name(), market.status());
}
}
例外處理
@ControllerAdvice
class GlobalExceptionHandler {
@ExceptionHandler(MethodArgumentNotValidException.class)
ResponseEntity<ApiError> handleValidation(MethodArgumentNotValidException ex) {
String message = ex.getBindingResult().getFieldErrors().stream()
.map(e -> e.getField() + ": " + e.getDefaultMessage())
.collect(Collectors.joining(", "));
return ResponseEntity.badRequest().body(ApiError.validation(message));
}
@ExceptionHandler(AccessDeniedException.class)
ResponseEntity<ApiError> handleAccessDenied() {
return ResponseEntity.status(HttpStatus.FORBIDDEN).body(ApiError.of("Forbidden"));
}
@ExceptionHandler(Exception.class)
ResponseEntity<ApiError> handleGeneric(Exception ex) {
// 記錄非預期錯誤與堆疊追蹤
return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
.body(ApiError.of("Internal server error"));
}
}
快取
需要在設定類別上加上 @EnableCaching。
@Service
public class MarketCacheService {
private final MarketRepository repo;
public MarketCacheService(MarketRepository repo) {
this.repo = repo;
}
@Cacheable(value = "market", key = "#id")
public Market getById(Long id) {
return repo.findById(id)
.map(Market::from)
.orElseThrow(() -> new EntityNotFoundException("Market not found"));
}
@CacheEvict(value = "market", key = "#id")
public void evict(Long id) {}
}
非同步處理
需要在設定類別上加上 @EnableAsync。
@Service
public class NotificationService {
@Async
public CompletableFuture<Void> sendAsync(Notification notification) {
// 發送 email/SMS
return CompletableFuture.completedFuture(null);
}
}
日誌記錄 (SLF4J)
@Service
public class ReportService {
private static final Logger log = LoggerFactory.getLogger(ReportService.class);
public Report generate(Long marketId) {
log.info("generate_report marketId={}", marketId);
try {
// 邏輯
} catch (Exception ex) {
log.error("generate_report_failed marketId={}", marketId, ex);
throw ex;
}
return new Report();
}
}
中介軟體 / 過濾器
@Component
public class RequestLoggingFilter extends OncePerRequestFilter {
private static final Logger log = LoggerFactory.getLogger(RequestLoggingFilter.class);
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
long start = System.currentTimeMillis();
try {
filterChain.doFilter(request, response);
} finally {
long duration = System.currentTimeMillis() - start;
log.info("req method={} uri={} status={} durationMs={}",
request.getMethod(), request.getRequestURI(), response.getStatus(), duration);
}
}
}
分頁與排序
PageRequest page = PageRequest.of(pageNumber, pageSize, Sort.by("createdAt").descending());
Page<Market> results = marketService.list(page);
外部呼叫的錯誤恢復
public <T> T withRetry(Supplier<T> supplier, int maxRetries) {
int attempts = 0;
while (true) {
try {
return supplier.get();
} catch (Exception ex) {
attempts++;
if (attempts >= maxRetries) {
throw ex;
}
try {
Thread.sleep((long) Math.pow(2, attempts) * 100L);
} catch (InterruptedException ie) {
Thread.currentThread().interrupt();
throw ex;
}
}
}
}
速率限制 (Filter + Bucket4j)
安全注意事項:X-Forwarded-For 標頭預設不可信任,因為客戶端可以偽造它。
僅在以下情況使用轉發標頭:
- 您的應用程式位於受信任的反向代理(nginx、AWS ALB 等)之後
- 您已將
ForwardedHeaderFilter註冊為 Bean - 您已在應用程式屬性中設定
server.forward-headers-strategy=NATIVE或FRAMEWORK - 您的代理設定為覆蓋(而非附加)
X-Forwarded-For標頭
當 ForwardedHeaderFilter 正確設定時,request.getRemoteAddr() 會自動從轉發標頭傳回正確的客戶端 IP。若無此設定,請直接使用 request.getRemoteAddr()——它會傳回直接連線的 IP,這是唯一可信的值。
@Component
public class RateLimitFilter extends OncePerRequestFilter {
private final Map<String, Bucket> buckets = new ConcurrentHashMap<>();
/*
* 安全性:此過濾器使用 request.getRemoteAddr() 來識別客戶端以進行速率限制。
*
* 如果您的應用程式位於反向代理(nginx、AWS ALB 等)之後,您必須設定 Spring
* 正確處理轉發標頭,以準確偵測客戶端 IP:
*
* 1. 在 application.properties/yaml 中設定 server.forward-headers-strategy=NATIVE
* (適用於雲端平台)或 FRAMEWORK
* 2. 如果使用 FRAMEWORK 策略,請註冊 ForwardedHeaderFilter:
*
* @Bean
* ForwardedHeaderFilter forwardedHeaderFilter() {
* return new ForwardedHeaderFilter();
* }
*
* 3. 確保您的代理覆蓋(而非附加)X-Forwarded-For 標頭以防止偽造
* 4. 為您的容器設定 server.tomcat.remoteip.trusted-proxies 或等效設定
*
* 若無此設定,request.getRemoteAddr() 會傳回代理 IP,而非客戶端 IP。
* 請勿直接讀取 X-Forwarded-For——在沒有受信任代理處理的情況下,它很容易被偽造。
*/
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
// 使用 getRemoteAddr(),當 ForwardedHeaderFilter 設定時會傳回正確的客戶端 IP,
// 否則傳回直接連線 IP。切勿在沒有適當代理設定的情況下直接信任 X-Forwarded-For 標頭。
String clientIp = request.getRemoteAddr();
Bucket bucket = buckets.computeIfAbsent(clientIp,
k -> Bucket.builder()
.addLimit(Bandwidth.classic(100, Refill.greedy(100, Duration.ofMinutes(1))))
.build());
if (bucket.tryConsume(1)) {
filterChain.doFilter(request, response);
} else {
response.setStatus(HttpStatus.TOO_MANY_REQUESTS.value());
}
}
}
背景任務
使用 Spring 的 @Scheduled 或與佇列(例如 Kafka、SQS、RabbitMQ)整合。保持處理器具有冪等性且可觀察。
可觀測性
- 結構化日誌(JSON)透過 Logback encoder
- 指標:Micrometer + Prometheus/OTel
- 追蹤:Micrometer Tracing 搭配 OpenTelemetry 或 Brave 後端
生產環境預設
- 偏好建構子注入,避免欄位注入
- 啟用
spring.mvc.problemdetails.enabled=true以使用 RFC 7807 錯誤(Spring Boot 3+) - 根據工作負載設定 HikariCP 連線池大小,設定逾時
- 查詢時使用
@Transactional(readOnly = true) - 在適當處使用
@NonNull和Optional強制空值安全
切記:保持 Controller 輕薄、Service 專注、Repository 簡單,並集中處理錯誤。以可維護性和可測試性為最佳化目標。






