Common Implementations

Session, JWT, and OAuth2 bring different trade-offs around state, scalability, and integration.

1. Definition

A session-based solution is straightforward and uses server-side state. JWT is common for stateless APIs, but token lifecycle and key management make it more complex. OAuth2 is an identity delegation protocol, not merely a token format.

2. Core Concepts

What happens underneath

When it is useful

Session, JWT, and OAuth2 bring different trade-offs around state, scalability, and integration. In interviews, highlight common use cases and the related Spring annotations.

What interviewers ask

Common questions cover Common Implementations trade-offs, debugging, and production pitfalls.

3. Practical Usage

Use Common Implementations when the problem truly calls for it.
Look at configuration and annotations together because both shape runtime behavior in Spring.
During debugging always inspect startup logs, the bean graph, and active profiles.
Prefer small components with clear responsibilities.
In interviews, mention the production trade-off, not only the annotation name.

4. Code Examples

The following example demonstrates Common Implementations with real Spring annotations.

import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
class ResourceServerConfig {
    @Bean
    SecurityFilterChain apiSecurity(HttpSecurity http) throws Exception {
        return http
                .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
                .oauth2ResourceServer(oauth2 -> oauth2.jwt(jwt -> jwt.jwtAuthenticationConverter(new JwtAuthenticationConverter())))
                .build();
    }
}

With JWT, stateless does not mean no state exists anywhere; revocation and refresh often still require state.

5. Trade-offs

Convention vs explicit configuration — Spring speeds development through convention, but sometimes explicit control is required for predictable behavior.
Fast development vs transparency — Less boilerplate is good, but too much framework magic can make debugging harder.
Abstraction vs control — Higher abstraction accelerates development, but you still need to understand low-level behavior.

6. Common Mistakes

Memorizing annotations without understanding runtime behavior.
Changing defaults without understanding the consequences.
Keeping oversized components with weak boundaries.
Ignoring logs and diagnostic tooling.
Not aligning the test strategy with the specific layer.

7. Senior-level Insights

A senior Spring engineer also looks at which proxy, bean post-processor, or filter is active under the hood.
Most hard bugs are not about annotation names but about lifecycle and ordering.
In production thinking, startup time, memory, observability, and rollback strategy all matter.

8. Glossary

Common Implementations: A Spring concept or mechanism related to this topic.
Bean: An object managed by Spring.
Proxy: An intermediate object that can add behavior.
Configuration: Properties or bean definitions that shape runtime behavior.
Context: The current application container state in Spring.

9. Cheatsheet

Session, JWT, and OAuth2 bring different trade-offs around state, scalability, and integration.
Understand the underlying lifecycle.
In interviews, mention the trade-off, not just the annotation.
For production bugs, start with logs, bean graph, and active profiles.
The simplest working solution is often the best one.