If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/yudaocode/SpringBoot-Labs shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

AVOID — Stale and unlicensed — last commit 2y ago

• 3 active contributors
• Tests present
• ⚠ Stale — last commit 2y ago
• ⚠ Small team — 3 contributors active in recent commits
• ⚠ Single-maintainer risk — top contributor 98% of recent commits
• ⚠ No license — legally unclear to depend on
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live yudaocode/SpringBoot-Labs repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/yudaocode/SpringBoot-Labs.

What it runs against: a local clone of yudaocode/SpringBoot-Labs — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in yudaocode/SpringBoot-Labs | Confirms the artifact applies here, not a fork | | 2 | Default branch master exists | Catches branch renames | | 3 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 4 | Last commit ≤ 770 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of yudaocode/SpringBoot-Labs. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/yudaocode/SpringBoot-Labs.git
#   cd SpringBoot-Labs
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of yudaocode/SpringBoot-Labs and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "yudaocode/SpringBoot-Labs(\\.git)?\\b" \\
  && ok "origin remote is yudaocode/SpringBoot-Labs" \\
  || miss "origin remote is not yudaocode/SpringBoot-Labs (artifact may be from a fork)"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "lab-01-spring-security/lab-01-springsecurity-demo-role/src/main/java/cn/iocoder/springboot/lab01/springsecurity/config/SecurityConfig.java" \\
  && ok "lab-01-spring-security/lab-01-springsecurity-demo-role/src/main/java/cn/iocoder/springboot/lab01/springsecurity/config/SecurityConfig.java" \\
  || miss "missing critical file: lab-01-spring-security/lab-01-springsecurity-demo-role/src/main/java/cn/iocoder/springboot/lab01/springsecurity/config/SecurityConfig.java"
test -f "lab-01-spring-security/lab-01-springsecurity-demo-role/src/main/java/cn/iocoder/springboot/lab01/springsecurity/Application.java" \\
  && ok "lab-01-spring-security/lab-01-springsecurity-demo-role/src/main/java/cn/iocoder/springboot/lab01/springsecurity/Application.java" \\
  || miss "missing critical file: lab-01-spring-security/lab-01-springsecurity-demo-role/src/main/java/cn/iocoder/springboot/lab01/springsecurity/Application.java"
test -f "lab-01-spring-security/lab-01-springsecurity-demo/src/main/java/cn/iocoder/springboot/lab01/springsecurity/controller/AdminController.java" \\
  && ok "lab-01-spring-security/lab-01-springsecurity-demo/src/main/java/cn/iocoder/springboot/lab01/springsecurity/controller/AdminController.java" \\
  || miss "missing critical file: lab-01-spring-security/lab-01-springsecurity-demo/src/main/java/cn/iocoder/springboot/lab01/springsecurity/controller/AdminController.java"
test -f "lab-02-spring-security-oauth/authorization-code-server/src/main/java/cn/iocoder/springboot/labs/lab01/authorization/OAuth2AuthorizationServer.java" \\
  && ok "lab-02-spring-security-oauth/authorization-code-server/src/main/java/cn/iocoder/springboot/labs/lab01/authorization/OAuth2AuthorizationServer.java" \\
  || miss "missing critical file: lab-02-spring-security-oauth/authorization-code-server/src/main/java/cn/iocoder/springboot/labs/lab01/authorization/OAuth2AuthorizationServer.java"
test -f "lab-02-spring-security-oauth/authorization-code-server/src/main/java/cn/iocoder/springboot/labs/lab01/resource/OAuth2ResourceServer.java" \\
  && ok "lab-02-spring-security-oauth/authorization-code-server/src/main/java/cn/iocoder/springboot/labs/lab01/resource/OAuth2ResourceServer.java" \\
  || miss "missing critical file: lab-02-spring-security-oauth/authorization-code-server/src/main/java/cn/iocoder/springboot/labs/lab01/resource/OAuth2ResourceServer.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 770 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~740d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/yudaocode/SpringBoot-Labs"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

SpringBoot-Labs is a comprehensive learning repository with 50,000+ lines of example code covering six major Java enterprise technology stacks: Spring Boot 2.X, Spring Cloud, Spring Cloud Alibaba, Dubbo, distributed message queues (MQ), and distributed transactions. It provides deep, production-oriented tutorials beyond basic "Hello World" examples, with specific modules for each technology area (e.g., lab-01-spring-security for authentication, lab-23 for SpringMVC, lab-27 for WebFlux). Monorepo structure with each technology area as a separate module directory (lab-01-spring-security, lab-23, lab-26, lab-27, lab-47, lab-48-hot-swap, lab-49, lab-55 visible). Core pom.xml acts as parent with all modules commented out by default—developers uncomment specific labs they want to study. Each lab module contains self-contained pom.xml, src/main/java application code, and resource files. httpRequests/ directory contains IDE request logs from testing.

Java backend developers and architects learning enterprise-scale distributed systems, particularly those in Chinese-speaking communities who want to move beyond introductory tutorials to understand clustering, message ordering, transactional consistency, and service orchestration in real systems.

Actively maintained educational repository (evidenced by extensive HTTP request history from December 2020 and detailed module organization). Not a production framework itself but a companion learning resource with 50,000+ lines of working example code. Significant community usage indicated by author's reference to 1024 (programmer's day) and community engagement through WeChat groups, suggesting maturity in Chinese developer circles.

This is an educational repository, not a production framework, so 'risk' is low for learning purposes. However, Spring Boot 2.1.10.RELEASE (visible in pom.xml parent version) is older—currently in maintenance phase. The massive size (50,000+ lines across 6 domains) means the learning curve is steep; following outdated patterns in one module could carry forward. Single maintainer (YunaiV) means maintenance depends on one person's availability.

Repository appears to be in documentation/curation phase rather than active feature development. Recent activity (December 2020 timestamps in httpRequests/) shows HTTP testing of implemented examples. No indication of open PRs or breaking changes in visible file structure—focus is on maintaining and expanding example coverage across the six technology pillars.

git clone https://github.com/YunaiV/SpringBoot-Labs.git cd SpringBoot-Labs Edit pom.xml to uncomment desired lab modules (e.g., lab-01-spring-security or lab-23). mvn clean install cd lab-XX-module mvn spring-boot:run

Daily commands: mvn clean install (build all modules) mvn spring-boot:run (run specific module after cd into its directory) For distributed examples: ensure required services are running (Nacos, Zookeeper, Kafka, RocketMQ, etc.) per individual module's README.

• lab-01-spring-security/lab-01-springsecurity-demo-role/src/main/java/cn/iocoder/springboot/lab01/springsecurity/config/SecurityConfig.java — Core Spring Security configuration that defines authentication, authorization, and role-based access control for the entire application
• lab-01-spring-security/lab-01-springsecurity-demo-role/src/main/java/cn/iocoder/springboot/lab01/springsecurity/Application.java — Application entry point and Spring Boot starter that bootstraps the security framework
• lab-01-spring-security/lab-01-springsecurity-demo/src/main/java/cn/iocoder/springboot/lab01/springsecurity/controller/AdminController.java — Demonstrates endpoint protection and role-based authorization patterns used throughout the codebase
• lab-02-spring-security-oauth/authorization-code-server/src/main/java/cn/iocoder/springboot/labs/lab01/authorization/OAuth2AuthorizationServer.java — OAuth2 authorization server configuration showing how to implement the authorization code flow for token management
• lab-02-spring-security-oauth/authorization-code-server/src/main/java/cn/iocoder/springboot/labs/lab01/resource/OAuth2ResourceServer.java — OAuth2 resource server that validates tokens and protects REST endpoints, critical for understanding the resource layer
• pom.xml — Root Maven POM defining all 600+ modules and shared dependencies; essential for understanding project structure and module activation
• README.md — Master documentation that explains the six columnar focuses (Spring Boot, Spring Cloud, Dubbo, MQ, Distributed Transactions) and module organization

Add a New Spring Security Role-Based Demo

1. Create new module directory under lab-01-spring-security/ following naming convention lab-01-springsecurity-demo-{feature} (lab-01-spring-security/pom.xml)
2. Create SecurityConfig.java extending WebSecurityConfigurerAdapter and define role-based access rules using .authorizeRequests() (lab-01-spring-security/lab-01-springsecurity-demo-role/src/main/java/cn/iocoder/springboot/lab01/springsecurity/config/SecurityConfig.java)
3. Create controller endpoints annotated with @PreAuthorize('hasRole(...)') to enforce role restrictions (lab-01-spring-security/lab-01-springsecurity-demo-role/src/main/java/cn/iocoder/springboot/lab01/springsecurity/controller/DemoController.java)
4. Create Application.java with @SpringBootApplication to bootstrap the new module (lab-01-spring-security/lab-01-springsecurity-demo-role/src/main/java/cn/iocoder/springboot/lab01/springsecurity/Application.java)
5. Add module to root pom.xml under spring-boot-labs project's modules section (uncomment if commented) (pom.xml)

Add a New OAuth2 Server Implementation

1. Create new directory under lab-02-spring-security-oauth/ with naming convention {flow-type}-server (e.g., implicit-flow-server) (lab-02-spring-security-oauth/authorization-code-server/pom.xml)
2. Create OAuth2AuthorizationServer.java extending org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter (lab-02-spring-security-oauth/authorization-code-server/src/main/java/cn/iocoder/springboot/labs/lab01/authorization/OAuth2AuthorizationServer.java)
3. Create OAuth2ResourceServer.java implementing resource server configuration with @EnableResourceServer (lab-02-spring-security-oauth/authorization-code-server/src/main/java/cn/iocoder/springboot/labs/lab01/resource/OAuth2ResourceServer.java)
4. Create protected endpoints in resource/api/ExampleController.java with @PreAuthorize('hasAnyScope(...)') (lab-02-spring-security-oauth/authorization-code-server/src/main/java/cn/iocoder/springboot/labs/lab01/resource/api/ExampleController.java)
5. Configure application.properties with OAuth2 server details (port, endpoints, client credentials) (lab-02-spring-security-oauth/authorization-code-server/src/main/resources/application.properties)

Add Protected REST Endpoints to Existing Security Module

1. Create new @RestController class in controller/ directory following naming convention {Feature}Controller.java (lab-01-spring-security/lab-01-springsecurity-demo-role/src/main/java/cn/iocoder/springboot/lab01/springsecurity/controller/DemoController.java)
2. Annotate endpoint methods with @PreAuthorize('hasRole(...)') or @PreAuthorize('hasAnyRole(...)') (lab-01-spring-security/lab-01-springsecurity-demo-role/src/main/java/cn/iocoder/springboot/lab01/springsecurity/controller/TestController.java)
3. Optionally add method-level security by enabling @EnableGlobalMethodSecurity(prePostEnabled=true) in SecurityConfig.java (lab-01-spring-security/lab-01-springsecurity-demo-role/src/main/java/cn/iocoder/springboot/lab01/springsecurity/config/SecurityConfig.java)
4. Test endpoint protection using httpRequests/ tests or curl commands following patterns in httpRequests/http-requests-log.http (httpRequests/http-requests-log.http)

• Spring Security 2.1.10 — Industry-standard framework for authentication, authorization, and protection against common web exploits; extensively documented and actively maintained
• Spring Boot 2.1.10.RELEASE — Provides rapid application setup with autoconfiguration, embedded servlet containers, and starter dependencies to reduce boilerplate
• Spring MVC (spring-boot-starter-web) — Enables building RESTful APIs and web controllers for demonstrating security enforcement patterns
• OAuth2 (spring-security-oauth2) — Implements industry-standard token-

All Maven modules are commented out in root pom.xml by default—students must manually uncomment specific labs they want to study, or build fails silently. Spring Boot 2.1.10.RELEASE is old (released 2019); some patterns may not apply to 2.7.x or 3.x. Distributed examples (Spring Cloud, Dubbo, MQ, transactions) require external service infrastructure (Nacos, Zookeeper, Kafka, RocketMQ, Seata servers) to be running—not bundled in repo. Documentation is in Chinese and links to external blog posts (http://www.iocoder.cn/) which may drift or be paywalled. No visible CI/CD pipeline (.github/workflows) so quality gates are manual.

• Spring Boot Autoconfiguration — Core to understanding why lab examples work with minimal explicit configuration; lab-47 specifically teaches this mechanism that underlies all 6 technology stacks in this repo
• Service Registry & Discovery — Central to Spring Cloud and Spring Cloud Alibaba labs (Nacos, Eureka); required for building scalable distributed systems shown in this repo
• Distributed Transactions (Saga Pattern) — The 分布式事务专栏 teaches Seata implementation; essential for maintaining consistency across microservices without traditional ACID guarantees
• Message Queue Guarantees (Ordering, Idempotence, Delivery) — MQ专栏 covers Kafka, RocketMQ, RabbitMQ delivery models, ordering semantics, and consumption patterns critical for asynchronous processing at scale
• RPC Framework Protocol (Dubbo vs gRPC) — Dubbo专栏 explains service invocation patterns, serialization, and load balancing strategies that differ fundamentally from REST and affect system performance
• Spring Security Authorization Hierarchy (Role-Based Access Control) — lab-01 teaches Spring Security's role and permission model; foundational for securing distributed systems across all 6 technology areas
• Distributed Session State Management — lab-26 addresses session consistency across multiple instances; critical for load-balanced web tiers where sticky sessions are unavailable

• alibaba/spring-cloud-alibaba — Official Spring Cloud Alibaba implementation that labs in this repo depend on and illustrate through examples
• apache/dubbo — Core Dubbo RPC framework documented through working examples in the Dubbo专栏 labs in this repository
• seata/seata — Distributed transaction framework that the 分布式事务专栏 labs use to demonstrate distributed transaction patterns
• spring-projects/spring-boot — Official Spring Boot source; this repo's entire structure is built on Spring Boot 2.X and explains its autoconfiguration mechanisms
• spring-cloud/spring-cloud-config — Companion framework used in Spring Cloud labs for centralized configuration management in distributed systems

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive test suite for lab-01-spring-security modules

The repo contains Spring Security demonstration modules (lab-01-springsecurity-demo and lab-01-springsecurity-demo-role) but lacks corresponding unit and integration tests. Adding tests for SecurityConfig.java, DemoController.java, and TestController.java would validate the security configurations work correctly and provide examples for contributors learning Spring Security.

• [ ] Create src/test/java directory structure mirroring src/main/java in lab-01-springsecurity-demo-role
• [ ] Add SecurityConfigTest.java to test role-based access control in SecurityConfig.java
• [ ] Add DemoControllerTest.java with MockMvc to test endpoint security and role-based access
• [ ] Add TestControllerTest.java to validate test endpoints
• [ ] Add spring-boot-starter-test dependency to pom.xml
• [ ] Include @SpringBootTest and @WithMockUser annotations for realistic testing

Create .gitignore entries to exclude httpRequests directory from version control

The repository contains 50+ IDE-generated HTTP request log files (httpRequests/ directory with timestamps like 2020-12-20T*.json and http-client.cookies). These are local test artifacts that should not be in version control, bloating the repo and causing merge conflicts. Adding proper .gitignore rules will clean the repository.

• [ ] Update .gitignore to add 'httpRequests/' entry to exclude the entire directory
• [ ] Add '.http' and '.cookies' patterns to exclude HTTP request files
• [ ] Create a .gitkeep or README.md in httpRequests/ documenting its purpose for local testing only
• [ ] Run 'git rm --cached httpRequests/ -r' to remove tracked files
• [ ] Document in main README.md that httpRequests/ is for local IDE testing only

Add CI/CD workflow with GitHub Actions for Maven module compilation and testing

With 50,000+ lines of example code across 6 technology stacks (Spring Boot, Spring Cloud, Dubbo, MQ, Distributed Transactions), the repo lacks automated build validation. Adding a GitHub Actions workflow to compile all enabled Maven modules and run tests would catch regressions early and signal to contributors which modules are actively maintained.

• [ ] Create .github/workflows/maven-build.yml with Java 8/11/17 matrix testing
• [ ] Configure workflow to parse root pom.xml and build only non-commented modules
• [ ] Add Maven cache step to speed up builds using actions/cache@v3
• [ ] Configure workflow to run on push to master and pull requests to catch integration issues
• [ ] Add badge to README.md showing build status
• [ ] Document in CONTRIBUTING.md that PRs must pass the Maven build workflow

• Update Spring Boot parent version from 2.1.10.RELEASE to 2.7.x LTS in root pom.xml and verify all 6 major lab groups still compile and run (Spring Boot, Spring Cloud, Spring Cloud Alibaba, Dubbo, MQ, Transactions)
• Add docker-compose.yml files to lab-26 (distributed session), lab-33+ (MQ modules), and distributed transaction labs to automatically spin up required services (Redis, Kafka, RocketMQ, Nacos, Seata) so newcomers don't have to manually install infrastructure
• Create a CONTRIBUTING.md guide explaining the lab directory naming convention (lab-XX-feature), required package structure (com.imooc.*), and a checklist for submitting new example labs including: HTTP test cases in httpRequests/, application.yml examples, and corresponding blog post link

• High · Outdated Spring Boot Version — pom.xml (parent version: 2.1.10.RELEASE). The project uses Spring Boot 2.1.10.RELEASE (released October 2019), which is significantly outdated and contains multiple known security vulnerabilities. Current versions are 2.7.x or 3.x with numerous CVE patches applied. Fix: Upgrade to Spring Boot 2.7.14.RELEASE or Spring Boot 3.1.x/3.2.x to receive security patches for known CVEs including those affecting Spring Framework, Spring Security, and Tomcat.
• High · No Security Headers Configuration — lab-01-spring-security/lab-01-springsecurity-demo-role/src/main/java/cn/iocoder/springboot/lab01/springsecurity/config/SecurityConfig.java. No evidence of security header configuration (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, etc.) in the visible Spring Security configuration. This leaves the application vulnerable to various client-side attacks. Fix: Configure security headers in SecurityConfig by adding .headers().xssProtection() and .frameOptions().deny(), or use a filter to add security headers like Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy.
• High · CSRF Protection Status Unknown — lab-01-spring-security/lab-01-springsecurity-demo-role/src/main/java/cn/iocoder/springboot/lab01/springsecurity/config/SecurityConfig.java. The SecurityConfig.java file content is not provided for review. Default Spring Security behavior should enable CSRF, but custom configurations may have disabled it inadvertently. Fix: Verify that CSRF protection is explicitly enabled unless disabled intentionally. Ensure CSRF tokens are included in all state-changing requests (POST, PUT, DELETE).
• Medium · No Password Encoding Configuration Visible — lab-01-spring-security/lab-01-springsecurity-demo-role/src/main/java/cn/iocoder/springboot/lab01/springsecurity/config/SecurityConfig.java. Best practice for Spring Security requires explicit password encoder configuration. Without reviewing SecurityConfig.java, it's unclear if a strong password encoder (e.g., BCryptPasswordEncoder) is configured instead of deprecated NoOpPasswordEncoder. Fix: Explicitly configure a PasswordEncoder bean using BCryptPasswordEncoder with strength 12+ or Argon2PasswordEncoder. Never use NoOpPasswordEncoder in production.
• Medium · Debug HTTP Requests Stored in Repository — httpRequests/ directory (all .json and .http files). The httpRequests/ directory contains numerous stored HTTP request/response logs with timestamps. These may contain sensitive data like session tokens, credentials, or business logic details that should not be committed to version control. Fix: Remove httpRequests/ directory from git history using 'git rm -r --cached httpRequests/' and add it to .gitignore. Ensure no sensitive data was exposed in repository history.
• Medium · Missing HTTP Security Headers in Application Configuration — lab-01-spring-security/lab-01-springsecurity-demo/src/main/resources/application.yaml. No application.yaml or application.properties configuration file content provided for review. Missing configurations for security-related settings like session timeout, secure cookies, etc. Fix: Configure security properties: server.servlet.session.timeout, server.servlet.session.cookie.secure=true, server.servlet.session.cookie.http-only=true, and server.http2.enabled=true.
• Low · Incomplete Dependency Analysis — pom.xml (all modules). Only partial pom.xml content provided. Full dependency tree analysis cannot be completed to identify transitive vulnerabilities in dependencies like spring-security and spring-web. Fix: Run 'mvn dependency:check' and use 'mvn org.owasp:dependency-check-maven:check' to identify vulnerable dependencies. Consider using Snyk or OWASP Dependency-Check in CI/CD pipeline.
• Low · No Security Testing Configuration — undefined. No visible security testing dependencies (e.g., spring-security-test) or Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.