If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/spring-attic/spring-mvc-showcase shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Stale — last commit 4y ago

• 14 active contributors
• Apache-2.0 licensed
• Tests present
• ⚠ Stale — last commit 4y ago
• ⚠ Concentrated ownership — top contributor handles 63% of recent commits
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live spring-attic/spring-mvc-showcase repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/spring-attic/spring-mvc-showcase.

What it runs against: a local clone of spring-attic/spring-mvc-showcase — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in spring-attic/spring-mvc-showcase | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 1584 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of spring-attic/spring-mvc-showcase. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/spring-attic/spring-mvc-showcase.git
#   cd spring-mvc-showcase
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of spring-attic/spring-mvc-showcase and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "spring-attic/spring-mvc-showcase(\\.git)?\\b" \\
  && ok "origin remote is spring-attic/spring-mvc-showcase" \\
  || miss "origin remote is not spring-attic/spring-mvc-showcase (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "src/main/java/org/springframework/samples/mvc/config/MvcShowcaseAppInitializer.java" \\
  && ok "src/main/java/org/springframework/samples/mvc/config/MvcShowcaseAppInitializer.java" \\
  || miss "missing critical file: src/main/java/org/springframework/samples/mvc/config/MvcShowcaseAppInitializer.java"
test -f "src/main/java/org/springframework/samples/mvc/config/WebMvcConfig.java" \\
  && ok "src/main/java/org/springframework/samples/mvc/config/WebMvcConfig.java" \\
  || miss "missing critical file: src/main/java/org/springframework/samples/mvc/config/WebMvcConfig.java"
test -f "pom.xml" \\
  && ok "pom.xml" \\
  || miss "missing critical file: pom.xml"
test -f "src/main/webapp/WEB-INF/views/home.jsp" \\
  && ok "src/main/webapp/WEB-INF/views/home.jsp" \\
  || miss "missing critical file: src/main/webapp/WEB-INF/views/home.jsp"
test -f "src/main/java/org/springframework/samples/mvc/simple/SimpleController.java" \\
  && ok "src/main/java/org/springframework/samples/mvc/simple/SimpleController.java" \\
  || miss "missing critical file: src/main/java/org/springframework/samples/mvc/simple/SimpleController.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 1584 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~1554d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/spring-attic/spring-mvc-showcase"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

spring-mvc-showcase is a reference application demonstrating the Spring MVC 5.0.4 web framework through focused, runnable examples. It showcases core MVC capabilities including request mapping, type conversion, validation, form handling, file upload, async processing (Callable and DeferredResult), message converters, and exception handling—designed as a learning tool with accompanying presentation materials. Monolithic web application structured by feature: src/main/java/org/springframework/samples/mvc/ organizes controllers by concern (async/, convert/, data/, exceptions/, fileupload/, form/, mapping/, messageconverters/, redirect/, response/). Each feature has a dedicated controller (e.g., CallableController.java, FileUploadController.java) paired with supporting beans and utility classes. Config lives in src/main/java/org/springframework/samples/mvc/config/ (MvcShowcaseAppInitializer, WebMvcConfig). Build is Maven-based war packaging for deployment to servlet containers like Jetty.

Java developers learning Spring MVC fundamentals who need concrete, working examples of each MVC feature rather than documentation. Enterprise Java developers evaluating Spring's MVC capabilities before adopting it in production systems.

Archived and unmaintained: the project is explicitly marked 'no longer actively maintained by VMware, Inc.' as noted in the README. It targets Spring 5.0.4.RELEASE (released 2018) and Java 1.8, with no recent commits visible in the repository structure. It is a reference implementation from the Spring ecosystem's mature years, not a living project—suitable for learning historical Spring MVC patterns but not for modern Spring Boot development.

This is an archived reference project, not production code. Key risks: Spring 5.0.4 is EOL (released 2018), dependencies like log4j use 'LATEST' version pinning in pom.xml (security anti-pattern), and there are no visible test files in the structure despite testing being a critical MVC feature. New contributors should expect no community support and manual dependency security audits.

Nothing—this is an archived repository with no active development. The README explicitly states it is no longer actively maintained by VMware.

git clone git://github.com/SpringSource/spring-mvc-showcase.git && cd spring-mvc-showcase && mvn jetty:run — then access http://localhost:8080/spring-mvc-showcase/ in your browser.

Daily commands: mvn jetty:run from the project root. Maven will download dependencies, compile, and start an embedded Jetty server on port 8080. Access the showcase at http://localhost:8080/spring-mvc-showcase/.

• src/main/java/org/springframework/samples/mvc/config/MvcShowcaseAppInitializer.java — Application entry point using Spring's WebApplicationInitializer; defines servlet and context initialization for the showcase.
• src/main/java/org/springframework/samples/mvc/config/WebMvcConfig.java — Core Spring MVC configuration bean; registers view resolvers, message converters, and component scanning that powers all examples.
• pom.xml — Maven build definition specifying Spring Framework 5.0.4 and all dependencies; required to understand version constraints and plugin configuration.
• src/main/webapp/WEB-INF/views/home.jsp — Landing page linking to all showcase examples; documents the feature set and navigation structure of the entire application.
• src/main/java/org/springframework/samples/mvc/simple/SimpleController.java — Simplest @Controller example in the codebase; baseline for understanding Spring MVC request mapping and response handling.
• src/main/java/org/springframework/samples/mvc/exceptions/GlobalExceptionHandler.java — Demonstrates @ControllerAdvice pattern for centralized exception handling; essential pattern for production Spring MVC apps.
• src/main/java/org/springframework/samples/mvc/config/RootConfig.java — Root application context configuration; separates non-web beans from servlet context, fundamental to Spring layering.

Add a new request mapping example

1. Create a new controller class in src/main/java/org/springframework/samples/mvc/{feature}/ extending the pattern of MappingController.java with @RequestMapping and method handlers (src/main/java/org/springframework/samples/mvc/mapping/MappingController.java)
2. Add @Controller annotation and define @RequestMapping at class level (e.g., @RequestMapping('/myfeature')) (src/main/java/org/springframework/samples/mvc/simple/SimpleController.java)
3. Implement handler methods returning view name String or ModelAndView following StandardArgumentsController patterns for parameter binding (src/main/java/org/springframework/samples/mvc/data/standard/StandardArgumentsController.java)
4. Create corresponding JSP view file in src/main/webapp/WEB-INF/views/{feature}/ following existing view structure (src/main/webapp/WEB-INF/views/home.jsp)
5. Add navigation link in home.jsp pointing to your new feature with proper URL and description (src/main/webapp/WEB-INF/views/home.jsp)

Add custom type conversion and formatting

1. Create a custom annotation (e.g., @MyFormat) in src/main/java/org/springframework/samples/mvc/convert/ (src/main/java/org/springframework/samples/mvc/convert/MaskFormat.java)
2. Implement AnnotationFormatterFactory<YourAnnotation> class following MaskFormatAnnotationFormatterFactory pattern (src/main/java/org/springframework/samples/mvc/convert/MaskFormatAnnotationFormatterFactory.java)
3. Register the formatter factory in WebMvcConfig via FormatterRegistry in addFormatters(FormatterRegistry) method (src/main/java/org/springframework/samples/mvc/config/WebMvcConfig.java)
4. Apply your annotation to domain class fields (like SocialSecurityNumber) and use in controller with @ModelAttribute binding (src/main/java/org/springframework/samples/mvc/convert/SocialSecurityNumber.java)

Add global exception handling

1. Create custom exception class extending Exception in src/main/java/org/springframework/samples/mvc/exceptions/ (src/main/java/org/springframework/samples/mvc/exceptions/BusinessException.java)
2. Add @ExceptionHandler method to GlobalExceptionHandler.java following existing pattern (e.g., @ExceptionHandler(YourException.class)) (src/main/java/org/springframework/samples/mvc/exceptions/GlobalExceptionHandler.java)
3. Return ModelAndView with error view name and populated error model attributes (src/main/java/org/springframework/samples/mvc/exceptions/ExceptionController.java)
4. Create JSP error view template in src/main/webapp/WEB-INF/views/ to display exception details (src/main/webapp/WEB-INF/views/home.jsp)

Add async request handling with Callable

1. Create controller method returning Callable<T> (not String/ModelAndView) following CallableController pattern (src/main/java/org/springframework/samples/mvc/async/CallableController.java)
2. Wrap long-running operation inside Callable.call() method to execute asynchronously in thread pool (src/main/java/org/springframework/samples/mvc/async/CallableController.java)
3. Optionally add CallableProcessingInterceptor (like TimeoutCallableProcessingInterceptor) in WebMvcConfig.configureAsyncSupport() (src/main/java/org/springframework/samples/mvc/async/TimeoutCallableProcessingInterceptor.java)
4. Create view template that works with resolved Callable result data model (src/main/webapp/WEB-INF/views/home.jsp)

No test files visible in the structure despite testing being essential—contributing tests will require setting up TestNG or JUnit from scratch. The pom.xml uses 'LATEST' for log4j versions, creating non-reproducible builds. Jetty runs on 8080 and context path is /spring-mvc-showcase/; tests must account for this. No Git history or CI config visible—this is an archival snapshot. Spring Security dependency is included only for CSRF protection; full authentication/authorization features are not showcased despite being available.

• Servlet Container Thread Pool and Async Request Handling (Callable<T> and DeferredResult) — This repo demonstrates two Spring MVC async patterns (CallableController.java, DeferredResultController.java) that decouple request threads from application work—critical for understanding scalability in servlet stacks before the reactive shift.
• HandlerMethodArgumentResolver (Custom Argument Resolution) — The showcase implements CustomArgumentResolver.java to inject custom types into controller method parameters—understanding this SPI is essential for extending MVC's request binding pipeline beyond standard @RequestParam/@PathVariable.
• AnnotationFormatterFactory and Formatter SPI — MaskFormatAnnotationFormatterFactory.java demonstrates pluggable type conversion separate from Spring's Converter interface—essential for field-level formatting (@MaskFormat on SSN) that Converter alone cannot express.
• HttpMessageConverter Content Negotiation — MessageConvertersController.java showcases how Spring selects between JSON, XML, and custom formats based on Accept headers and produces/consumes attributes—foundational for REST API design.
• @ControllerAdvice and Global Exception Handling — GlobalExceptionHandler.java centralizes error handling across all controllers via @ControllerAdvice and @ExceptionHandler—the standard pattern for consistent REST error responses without try-catch boilerplate in every method.
• RequestMapping Condition Hierarchy (method, params, headers, consumes, produces) — MappingController.java demonstrates fine-grained request matching beyond path patterns—using params, headers, HTTP method, and content type to dispatch to the correct handler is essential for REST API versioning and content negotiation.
• Multipart File Upload Handling and MultipartResolver — FileUploadController.java shows how to configure multipart request parsing and inject MultipartFile objects—critical for handling form-based file submissions without manual stream parsing.

• spring-projects/spring-framework — The core Spring Framework repository containing MVC, AOP, and type conversion subsystems that power this showcase.
• spring-projects/spring-boot — Modern successor to servlet-based Spring MVC; shows how the same @Controller patterns are used in auto-configured, cloud-native applications.
• spring-projects/spring-petclinic — Contemporary reference application demonstrating Spring MVC, Spring Data, and Spring Security in a realistic multi-layer architecture—more production-like than mvc-showcase.
• spring-projects/spring-webflux — Reactive alternative to servlet-based MVC; uses the same annotation model (@GetMapping, @RequestBody) but with Mono/Flux instead of Callable/DeferredResult.
• spring-projects/spring-security-samples — Dedicated examples for Spring Security integration; complements this showcase's minimal CSRF-only security setup with full authentication, authorization, and OAuth2 patterns.

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive unit tests for async controllers

The async module (src/main/java/org/springframework/samples/mvc/async/) contains CallableController, DeferredResultController, and TimeoutCallableProcessingInterceptor with no corresponding test coverage. This is critical for a showcase repo since async is an important Spring MVC feature that users learn from. Adding tests would demonstrate best practices for testing async handlers.

• [ ] Create src/test/java/org/springframework/samples/mvc/async/CallableControllerTests.java with tests for concurrent execution and timeout scenarios
• [ ] Create src/test/java/org/springframework/samples/mvc/async/DeferredResultControllerTests.java testing manual result resolution
• [ ] Create src/test/java/org/springframework/samples/mvc/async/TimeoutCallableProcessingInterceptorTests.java for interceptor behavior
• [ ] Verify all tests pass with Maven and demonstrate async patterns users should follow

Add integration tests for custom argument resolver (CustomArgumentResolver)

The data/custom module demonstrates custom WebArgumentResolver implementation (src/main/java/org/springframework/samples/mvc/data/custom/CustomArgumentResolver.java and CustomArgumentController.java), but lacks tests showing how the @RequestAttribute annotation actually binds custom arguments. This is a non-obvious Spring MVC feature that needs validation coverage.

• [ ] Create src/test/java/org/springframework/samples/mvc/data/custom/CustomArgumentResolverTests.java with MockMvc testing CustomArgumentController endpoints
• [ ] Add test cases verifying @RequestAttribute binds the custom RequestAttribute correctly
• [ ] Add test for resolver detection and precedence with standard Spring MVC argument types
• [ ] Document the test patterns in a new file src/main/webapp/WEB-INF/views/data/custom.jsp example

Add GitHub Actions CI workflow for Maven builds and Java 8+ compatibility testing

This repo has no CI configuration (.github/workflows/ missing) despite being a showcase that developers learn from. Given that the pom.xml targets Java 1.8 with Spring 5.0.4.RELEASE (released 2018), a CI workflow would catch dependency conflicts, Java version compatibility issues, and ensure the showcase code actually compiles and runs. This is essential for maintaining a learning resource.

• [ ] Create .github/workflows/maven-build.yml testing against Java 8, 11, and 17 (LTS versions relevant to Spring 5.x era)
• [ ] Configure Maven to run 'clean install' and validate WAR packaging
• [ ] Add build status badge to README.md
• [ ] Consider adding separate workflow for security dependency checks given Spring Security dependency in pom.xml

• Add comprehensive unit tests for src/main/java/org/springframework/samples/mvc/convert/MaskFormatAnnotationFormatterFactory.java and related formatter classes—currently no test coverage exists for the type conversion pipeline.
• Document the Callable<T> vs DeferredResult patterns in CallableController.java and DeferredResultController.java with inline comments and a side-by-side comparison JSP view explaining when to use each for async handling.
• Create a 'Validation' feature showcase module (src/main/java/org/springframework/samples/mvc/validation/) with controllers demonstrating @Valid, @Validated, and custom ConstraintValidator implementations—validation is listed in the README but has no dedicated example.

• Critical · Log4j Dependency with LATEST Version — pom.xml - log4j-core and log4j-slf4j-impl dependencies. The pom.xml uses 'LATEST' version for log4j-core and log4j-slf4j-impl dependencies. This is extremely risky as it will automatically pull the latest version available, including versions with known vulnerabilities like Log4Shell (CVE-2021-44228). Using LATEST prevents reproducible builds and exposes the application to zero-day exploits. Fix: Pin log4j dependencies to a specific patched version (e.g., 2.17.1 or later). Replace 'LATEST' with explicit version: <version>2.17.1</version>. Regularly audit and update to patched versions only after security review.
• High · Outdated Spring Framework Version — pom.xml - org.springframework-version property. Spring Framework version 5.0.4.RELEASE (released in 2018) contains multiple known security vulnerabilities including CVE-2018-1258 and other RCE/DoS issues. This version is far from current and no longer receives security patches. Fix: Upgrade to Spring Framework 6.0.x or latest 5.3.x LTS release. Review the Spring Security and Spring Framework release notes for security fixes between current and target versions. Test thoroughly before deployment.
• High · Spring Security Version Mismatch — pom.xml - spring-security-web dependency. Spring Security 5.0.0.RELEASE is pinned to a version that predates Spring Framework 5.0.4 security updates. Version 5.0.0 contains known vulnerabilities including CVE-2018-1258 and CSRF-related issues. Fix: Update Spring Security to at least 5.8.x or 6.0.x LTS to match Spring Framework version. Ensure compatibility between Spring and Spring Security versions.
• High · Outdated AspectJ Version — pom.xml - org.aspectj-version property. AspectJ 1.8.1 is severely outdated (released in 2014) and may contain unpatched vulnerabilities. This version lacks security updates and is no longer supported. Fix: Upgrade to AspectJ 1.9.20 or later. Review AspectJ security advisories and ensure the new version is compatible with the Spring framework version being used.
• Medium · Incomplete Maven Dependency Declaration — pom.xml - end of file, servlet API dependency. The pom.xml file appears truncated with incomplete servlet-api dependency declaration (ends mid-tag). This may indicate build configuration issues and prevents proper dependency resolution. Fix: Complete the pom.xml file with proper servlet-api dependency declaration. Use javax.servlet:javax.servlet-api:4.0.1 or jakarta.servlet:jakarta.servlet-api:5.0.0 for newer versions.
• Medium · File Upload Functionality Without Visible Security Controls — src/main/java/org/springframework/samples/mvc/fileupload/FileUploadController.java. The codebase includes FileUploadController (src/main/java/org/springframework/samples/mvc/fileupload/FileUploadController.java) but without access to the source code, it's unclear if proper validation, size limits, and virus scanning are implemented. File upload endpoints are common attack vectors. Fix: Ensure file upload handler implements: (1) File type validation (whitelist allowed types), (2) File size limits, (3) Filename sanitization, (4) Virus/malware scanning, (5) Storage outside web root, (6) Secure file permissions.
• Medium · Potential CSRF Vulnerability Without CSRF Token Verification — src/main/webapp/WEB-INF/views/form.jsp, src/main/webapp/WEB-INF/views/fileupload.jsp. While Spring Security is included 'for CSRF protection only', the specific CSRF configuration is not visible in the provided files. Form-based operations (form.jsp, fileupload.jsp) may be vulnerable if CSRF tokens are not properly implemented and validated. Fix: Verify that CSRF protection is enabled in WebMvcConfig. Use <csrf/> in security configuration. Ensure all state-changing operations (POST

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.