The Best Spring Boot and Spring Framework Books
This curriculum takes an intermediate Java developer from Spring Framework fundamentals through production-grade Spring Boot applications, covering REST APIs, security, testing, and microservices. Each stage builds directly on the last — you must understand the Spring container before you can master Boot's auto-configuration, and you must master Boot before you can decompose it into microservices.
Spring Core Foundations
IntermediateUnderstand the Spring Framework's core principles — dependency injection, the application context, and MVC — so that Spring Boot's auto-configuration makes intuitive sense rather than feeling like magic.
▸ Study plan for this stage
Pace: 6–8 weeks, ~40–50 pages/day (Spring in Action: weeks 1–4; Pro Spring 6: weeks 5–8)
- Dependency Injection (DI) as the foundation of Spring: constructor, setter, and field injection patterns and their trade-offs
- The ApplicationContext: how Spring manages beans, their lifecycle, and configuration metadata (XML, Java config, annotations)
- Bean scopes (singleton, prototype, request, session) and when to use each
- Spring MVC architecture: DispatcherServlet, controllers, request mapping, view resolution, and the request-response cycle
- Aspect-Oriented Programming (AOP): cross-cutting concerns, proxies, and practical use cases like logging and transactions
- Spring's annotation-driven configuration: @Component, @Bean, @Autowired, and how it replaces XML boilerplate
- Auto-wiring and component scanning: how Spring discovers and injects beans automatically
- Transaction management and declarative transactions: @Transactional and Spring's abstraction over database transactions
- Explain the three types of dependency injection and describe a scenario where you would choose constructor injection over setter injection
- What is the ApplicationContext and how does it differ from a BeanFactory? How does Spring manage the bean lifecycle?
- Describe the Spring MVC request-response cycle from the moment a request hits the DispatcherServlet to the view being rendered
- What are bean scopes and why is singleton the default? When would you use prototype or request scope?
- How does Aspect-Oriented Programming work in Spring, and what are two real-world use cases for AOP?
- What is the difference between XML configuration, Java-based configuration, and annotation-driven configuration? When would you use each?
- Build a simple three-tier application (controller → service → repository) using constructor injection; refactor it to use setter and field injection and compare the testability of each approach
- Create a Spring application with multiple bean definitions using both XML configuration and Java @Configuration classes; verify that the ApplicationContext loads both correctly
- Implement a custom AOP aspect that logs method execution time for service layer methods; apply it to 2–3 methods and verify the logs
- Build a Spring MVC web application with at least three endpoints (@GetMapping, @PostMapping) that accept different request types (path variables, query parameters, request body) and return JSON responses
- Create beans with different scopes (singleton, prototype, request) in a single application; write tests or a simple servlet to verify that singleton instances are reused and prototype instances are created fresh each time
- Implement a service method with @Transactional and deliberately trigger a rollback scenario; verify that the transaction is rolled back correctly using a test or database inspection
Next up: Mastering these core Spring principles—DI, the ApplicationContext, MVC, and AOP—provides the mental model needed to understand why Spring Boot's auto-configuration, starter dependencies, and embedded servers work the way they do, setting up the next stage to focus on Spring Boot's productivity features rather than foundational mechanics.

The single most widely-read Spring book; it covers the IoC container, Spring MVC, and data access in a hands-on way that gives you the mental model everything else builds on. Start here to establish vocabulary and intuition.

Goes deeper into the Spring container internals, AOP, transactions, and testing than Spring in Action does. Read it second to solidify the 'why' behind the abstractions before Boot hides them.
Spring Boot Essentials
IntermediateBuild real Spring Boot applications confidently — auto-configuration, Spring Data JPA, REST APIs, validation, and testing — and understand how Boot decisions map back to raw Spring.
▸ Study plan for this stage
Pace: 6–8 weeks, ~40–50 pages/day (mix of reading and hands-on coding)
- Spring Boot auto-configuration: how @SpringBootApplication, @EnableAutoConfiguration, and conditional beans eliminate boilerplate and map to underlying Spring Framework concepts
- Spring Data JPA repositories: CRUD operations, query methods, custom queries, and how they abstract away low-level Hibernate/JPA configuration
- Building REST APIs with Spring Web: @RestController, @RequestMapping, HTTP method annotations, content negotiation, and error handling
- Validation and constraints: @Valid, JSR-303/JSR-380 annotations, custom validators, and integration with REST endpoints
- Testing Spring Boot applications: @SpringBootTest, @WebMvcTest, @DataJpaTest, mocking, and test slices for focused unit and integration testing
- Configuration management: application.properties/YAML, profiles, externalized configuration, and how Boot simplifies property binding
- Embedded servers and deployment: understanding Tomcat/Netty embedded in Boot, fat JARs, and how Boot differs from traditional WAR deployments
- Actuator and observability: health checks, metrics, custom endpoints, and monitoring production applications
- Explain how Spring Boot auto-configuration works and what role @SpringBootApplication plays in enabling it. How does this relate to manual Spring Framework bean configuration?
- Design a Spring Data JPA repository for a domain entity and write query methods to fetch data by multiple criteria. When would you use @Query annotations?
- Build a REST API endpoint that accepts JSON input, validates it using JSR-303 annotations, and returns appropriate HTTP status codes. How do you handle validation errors?
- Write unit and integration tests for a Spring Boot service layer using @SpringBootTest and @DataJpaTest. What is the purpose of test slices?
- Configure a Spring Boot application with environment-specific properties (dev, test, prod) using profiles. How does externalized configuration improve deployment flexibility?
- Describe the role of Spring Boot Actuator in production monitoring. What are health indicators and how do you create custom ones?
- Follow 'Learning Spring Boot 3.0' Chapter 2–3: create a simple @SpringBootApplication, inspect auto-configuration reports (debug=true), and identify which beans are auto-configured vs. manually defined.
- Build a complete CRUD application using Spring Data JPA: define entities with relationships, create repositories with custom query methods, and verify queries in integration tests.
- Develop a multi-endpoint REST API (e.g., blog or e-commerce domain) with proper HTTP methods, status codes, and content negotiation; test each endpoint with curl or Postman.
- Add comprehensive validation to your REST API: use @Valid on request bodies, create custom validators for business rules, and test error responses with appropriate HTTP 400/422 status codes.
- Write a test suite covering service, repository, and controller layers using @SpringBootTest, @WebMvcTest, and @DataJpaTest; achieve >80% code coverage for your domain logic.
- Configure your application with multiple profiles (application-dev.yml, application-prod.yml); externalize database credentials, server ports, and feature flags; verify profile activation at startup.
Next up: This stage equips you with hands-on mastery of Spring Boot's core abstractions and patterns; the next stage will deepen your expertise into advanced topics like security, reactive programming, microservices architecture, and production-grade observability.

A focused, project-driven introduction to Spring Boot 3 that covers auto-configuration, Spring Data, and REST from scratch. Its progressive examples make it the ideal first Boot-specific book.

Complements Turnquist by emphasizing real-world patterns — actuator, configuration management, testing, and messaging — giving you a broader production toolkit before moving to advanced topics.
REST APIs & Persistence
IntermediateDesign and implement robust, well-tested RESTful APIs backed by relational and NoSQL databases, including hypermedia, error handling, and data-layer best practices.
▸ Study plan for this stage
Pace: 8–10 weeks, ~40–50 pages/day (mix of theory and hands-on coding)
- REST architectural principles: statelessness, resource-oriented design, HTTP verbs, and status codes as applied in Spring Boot
- Building Spring Boot REST controllers with @RestController, @RequestMapping, and content negotiation
- Request/response mapping, validation, and error handling using Spring's exception handling and custom error responses
- Spring Data abstraction layer: repositories, query methods, and custom queries for both relational (JPA/Hibernate) and NoSQL databases
- Hypermedia-driven APIs: HATEOAS principles and Spring HATEOAS for building discoverable, self-documenting APIs
- Database persistence patterns: entity relationships, lazy/eager loading, transaction management, and N+1 query prevention
- Testing REST APIs: unit testing controllers, integration testing with TestRestTemplate, and mocking data layers
- Best practices: API versioning, pagination, filtering, sorting, and designing for scalability and maintainability
- How do REST architectural principles (statelessness, resource orientation, HTTP verbs) translate into Spring Boot @RestController design?
- What is the difference between Spring Data repositories and custom query methods, and when should you use each approach?
- How do you implement comprehensive error handling in a Spring Boot REST API, and what makes a good error response?
- What is HATEOAS, and how does Spring HATEOAS enable clients to discover API endpoints dynamically?
- How do lazy loading, eager loading, and transaction boundaries affect REST API performance, and how do you prevent N+1 query problems?
- How do you design and test a REST API that works seamlessly with both relational (SQL) and NoSQL databases using Spring Data?
- Build a complete REST API for a domain model (e.g., e-commerce, blog, or library) using Spring Boot @RestController, implementing GET, POST, PUT, DELETE with proper HTTP status codes
- Create Spring Data repositories (both JPA and one NoSQL option like MongoDB) for your domain, write custom query methods using @Query, and compare query performance
- Implement comprehensive error handling: custom exception classes, @ControllerAdvice for global exception handling, and structured error response DTOs
- Add HATEOAS links to your API responses using Spring HATEOAS; verify clients can navigate the API by following links without prior knowledge of URLs
- Write integration tests for your REST API using TestRestTemplate, covering happy paths, validation errors, and edge cases; mock the data layer where appropriate
- Implement pagination, filtering, and sorting on a list endpoint; test performance with large datasets and optimize queries to avoid N+1 problems
Next up: This stage establishes the foundation for building production-grade, data-driven APIs with proper persistence and error handling; the next stage will likely deepen security (authentication/authorization), caching, and operational concerns (monitoring, logging, deployment) needed to run these APIs reliably in production.

SKIP — replacing with a verified Spring-specific title below.

The authoritative reference on Spring Data's repository abstraction across JPA, MongoDB, and Redis. Reading it here gives you the persistence depth needed before tackling microservices data patterns.
Security
ExpertImplement authentication and authorization in Spring Boot applications using Spring Security, OAuth 2, and JWT — understanding the security filter chain deeply enough to customize it confidently.
▸ Study plan for this stage
Pace: 8–10 weeks, ~40–50 pages/day with hands-on labs
- Spring Security architecture and the filter chain: how requests flow through authentication and authorization filters
- Authentication mechanisms: form login, HTTP Basic, custom authentication providers, and credential validation
- Authorization and access control: role-based access control (RBAC), method-level security (@PreAuthorize, @Secured), and permission-based authorization
- JWT (JSON Web Tokens): token generation, validation, stateless authentication, and integration with Spring Security
- OAuth 2.0 flows: authorization code, client credentials, and resource server configuration for delegated authentication
- UserDetailsService and GrantedAuthority: implementing custom user loading and authority management
- SecurityFilterChain customization: building and ordering filters, exception handling, and CORS configuration
- Practical security patterns: password encoding, CSRF protection, session management, and securing REST APIs
- How does the Spring Security filter chain work, and what is the order of key filters like UsernamePasswordAuthenticationFilter and FilterSecurityInterceptor?
- What are the differences between authentication and authorization, and how does Spring Security implement each?
- How do you implement custom authentication providers and UserDetailsService in Spring Security?
- What is JWT, how do you generate and validate tokens, and how do you integrate JWT with Spring Security for stateless authentication?
- How do you configure OAuth 2.0 in Spring Boot (both as a resource server and authorization server), and what are the main flows?
- How do you use @PreAuthorize, @Secured, and other method-level security annotations, and when should you use each?
- How do you customize the SecurityFilterChain to add, remove, or reorder filters, and what are common pitfalls?
- How do you handle CSRF, CORS, and session management in Spring Security, especially for REST APIs?
- Build a Spring Boot application with form-based login using Spring Security's default configuration, then customize the login page and add remember-me functionality
- Implement a custom UserDetailsService that loads users from a database, and create a custom AuthenticationProvider with password encoding using BCrypt
- Create a REST API secured with HTTP Basic authentication, then refactor it to use JWT tokens with custom authentication filters
- Implement role-based access control (RBAC) using @PreAuthorize and @Secured annotations on service and controller methods, with multiple user roles
- Build a stateless JWT-based authentication system: generate tokens on login, validate them on each request, and handle token expiration and refresh
- Configure Spring Security as an OAuth 2.0 resource server, validate incoming JWT tokens from an external authorization server, and test with a real OAuth 2.0 provider
- Customize the SecurityFilterChain by adding a custom filter, removing default filters, and configuring exception handling for authentication/authorization failures
- Build a complete microservices scenario: one service as an OAuth 2.0 authorization server issuing tokens, another as a resource server validating them, with CORS properly configured
Next up: This stage equips you with deep knowledge of Spring Security's internals and modern authentication patterns (JWT, OAuth 2.0), preparing you to tackle advanced topics like distributed security, API gateway patterns, and securing microservices architectures in the next stage.

The most comprehensive and up-to-date book dedicated entirely to Spring Security. It covers the filter chain, method security, OAuth 2, and JWT step by step — essential reading before securing microservices.
Microservices & Cloud-Native Spring
ExpertDecompose Spring Boot applications into resilient, observable microservices using Spring Cloud, service discovery, API gateways, distributed configuration, and reactive programming.
▸ Study plan for this stage
Pace: 12–14 weeks, ~40–50 pages/day with 2–3 days/week for hands-on labs and architecture exercises
- Microservices architecture patterns: decomposition strategies, service boundaries, and the trade-offs between monoliths and distributed systems
- Service discovery and client-side vs. server-side load balancing using Spring Cloud Netflix Eureka and Spring Cloud LoadBalancer
- API Gateway pattern: request routing, cross-cutting concerns (authentication, rate limiting, logging), and circuit breakers using Spring Cloud Gateway
- Distributed configuration management with Spring Cloud Config and externalized property sources across multiple environments
- Inter-service communication: synchronous REST/HTTP, asynchronous messaging, and event-driven patterns with Spring Cloud Stream
- Resilience patterns: circuit breakers, retries, timeouts, bulkheads, and fallbacks using Resilience4j and Spring Cloud Hystrix
- Reactive programming with Project Reactor: non-blocking I/O, backpressure, and async composition for cloud-native applications
- Observability in distributed systems: structured logging, distributed tracing (Spring Cloud Sleuth + Zipkin), and metrics collection (Micrometer)
- What are the key differences between monolithic and microservices architectures, and when should you decompose a monolith into microservices?
- How does service discovery work in Spring Cloud, and what are the trade-offs between client-side and server-side discovery patterns?
- What is the API Gateway pattern, and how does Spring Cloud Gateway implement cross-cutting concerns like authentication and circuit breaking?
- How do you manage configuration across multiple microservices and environments using Spring Cloud Config, and what are the benefits of externalized configuration?
- What resilience patterns (circuit breakers, retries, timeouts, bulkheads) should you implement, and how do you use Resilience4j or Hystrix to enforce them?
- How does reactive programming with Project Reactor improve scalability and resource utilization in cloud-native microservices?
- What are the key observability challenges in distributed systems, and how do you implement distributed tracing and structured logging with Spring Cloud Sleuth and Zipkin?
- How do you design event-driven microservices using Spring Cloud Stream and asynchronous messaging to decouple services?
- Decompose a monolithic Spring Boot application into 3–4 loosely coupled microservices following patterns from 'Microservices Patterns' (e.g., database per service, saga pattern for distributed transactions)
- Set up service discovery with Spring Cloud Eureka: register multiple microservices and implement client-side load balancing with Spring Cloud LoadBalancer
- Build an API Gateway using Spring Cloud Gateway that routes requests to backend microservices, implements rate limiting, and enforces authentication/authorization
- Configure distributed properties using Spring Cloud Config Server; externalize database URLs, API keys, and feature flags across dev, staging, and production environments
- Implement resilience patterns: add circuit breakers (Resilience4j) to inter-service REST calls, configure retries with exponential backoff, and test failure scenarios
- Refactor a synchronous microservice to use reactive programming with Project Reactor; replace blocking HTTP calls with WebClient and handle backpressure
- Implement distributed tracing: integrate Spring Cloud Sleuth and Zipkin to trace requests across multiple microservices and visualize call chains
- Build an event-driven workflow using Spring Cloud Stream: publish domain events from one microservice and consume them in others via RabbitMQ or Kafka
Next up: This stage equips you with the architectural patterns, tooling, and hands-on skills to build resilient, observable microservices; the next stage will deepen your expertise in container orchestration, infrastructure-as-code, and advanced cloud deployment strategies.

The definitive guide to microservices architecture patterns — sagas, API gateways, CQRS, event sourcing — using Spring Boot examples. Read it first in this stage to establish architectural thinking.

Translates microservices patterns directly into Spring Cloud code: Eureka, Config Server, Gateway, Resilience4j, and Zipkin. Pairs perfectly with Richardson's pattern-level thinking.

The most modern title in the curriculum, covering Spring Boot 3, Spring Cloud, Kubernetes, and GitOps together. Read last to tie everything into a production-ready, cloud-native deployment story.
Discussion
Keep reading
Paths that share books, cover the same subject, or open a related topic.