Skip to content

React + Spring Boot Integration Interview Guide

React communicates with Spring Boot using REST APIs (or GraphQL).

flowchart TD
    A[React UI] --> B[Axios / Fetch API]
    B --> C[Spring Boot REST Controller]
    C --> D[Service Layer]
    D --> E[(Database)]

React

axios.get("/api/users")
.then(res => setUsers(res.data));

Spring Boot

@RestController
@RequestMapping("/api/users")
public class UserController {
@GetMapping
public List<User> getUsers() {
return userService.getAllUsers();
}
}

When React and Spring Boot run on different ports:

React : localhost:3000
Spring Boot : localhost:8080

The browser blocks requests because of the Same Origin Policy.

@CrossOrigin(origins = "http://localhost:3000")
@RestController
public class UserController {
}
@Configuration
public class CorsConfig {
@Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurer() {
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("http://localhost:3000");
}
};
}
}
sequenceDiagram
    participant U as User
    participant R as React
    participant S as Spring Boot
    U->>R: Login
    R->>S: Credentials
    S-->>R: JWT
    R->>R: Store Token
    R->>S: API Request + Authorization Header
    S-->>R: Validate JWT and return response

Authorization header:

Authorization: Bearer JWT_TOKEN

Axios interceptor:

axios.interceptors.request.use(config => {
config.headers.Authorization =
`Bearer ${localStorage.getItem("token")}`;
return config;
});
Storage Pros Cons
Local Storage Easy implementation Vulnerable to XSS
HttpOnly Secure Cookie More secure, inaccessible to JavaScript Requires CSRF protection

Enterprise applications typically prefer HttpOnly Secure Cookies.

axios.interceptors.response.use(
response => response,
error => {
if(error.response.status === 401){
navigate("/login");
}
return Promise.reject(error);
}
);
@RestControllerAdvice
public class GlobalExceptionHandler {
@ExceptionHandler(Exception.class)
public ResponseEntity<String> handleException(Exception ex) {
return ResponseEntity.badRequest()
.body(ex.getMessage());
}
}

Development:

VITE_API_URL=http://localhost:8080

Production:

VITE_API_URL=https://api.company.com

Usage:

const API_URL = import.meta.env.VITE_API_URL;

Avoid hardcoding URLs.

const formData = new FormData();
formData.append("file", file);
axios.post("/upload", formData);
@PostMapping("/upload")
public String upload(
@RequestParam("file") MultipartFile file) {
return file.getOriginalFilename();
}
@GetMapping("/download")
public ResponseEntity<Resource> download() {
return ResponseEntity.ok(resource);
}
const response = await axios.get("/download", {
responseType: "blob"
});
@GetMapping
public Page<User> getUsers(
@RequestParam int page,
@RequestParam int size) {
return repository.findAll(
PageRequest.of(page, size));
}
axios.get(`/users?page=0&size=10`);

Benefits:

  • Faster response
  • Reduced memory usage
  • Better user experience
const [loading, setLoading] = useState(false);
setLoading(true);
axios.get("/users")
.finally(() => setLoading(false));
{
loading ? <Spinner/> : <UserList/>
}
useEffect(() => {
const timer = setTimeout(() => {
searchUsers();
}, 500);
return () => clearTimeout(timer);
}, [searchText]);
  • React Query
  • SWR
  • Spring Security
  • JWT Authentication
  • HTTPS
  • Role-Based Access Control
  • Input Validation
  • CSRF protection (when using cookies)
  • Rate Limiting
@PreAuthorize("hasRole('ADMIN')")
@GetMapping("/admin")
public String admin() {
return "Admin Data";
}
flowchart LR
    A[npm run build] --> B[Copy build output]
    B --> C[src/main/resources/static]
    C --> D[Spring Boot JAR]
Terminal window
npm run build

Copy the build output into:

src/main/resources/static

Application URL:

http://server:8080
  • React -> Nginx
  • Spring Boot -> Docker/Kubernetes

This is the typical enterprise production approach.

const role = getRole();
{
role === "ADMIN"
? <AdminPanel />
: <UserPanel />
}

Always validate authorization on the backend as well.

  1. CORS issues
  2. JWT expiration handling
  3. API versioning
  4. Large payload performance
  5. File upload/download
  6. Pagination and lazy loading
  7. Role-based authorization
  8. Refresh token implementation
  9. Network failures
  10. Deployment and environment management

Typical enterprise solutions:

  • API Gateway
  • Axios Interceptors
  • Spring Security + JWT
  • React Query caching
  • CDN for static assets
  • Kubernetes deployment
  1. How would you implement Refresh Token flow?
  2. How do you secure React applications from XSS attacks?
  3. How would you implement SSO using OAuth2/OIDC?
  4. How do you manage state in a large React application?
  5. How do you version Spring Boot APIs?
  6. How do you handle distributed authentication across microservices?
  7. How would you integrate React with API Gateway and multiple microservices?
  8. How do you implement real-time updates using WebSocket?
  9. How do you optimize React application performance for large datasets?
  10. How would you design a production-grade React + Spring Boot architecture?
  • React communicates with Spring Boot primarily through REST APIs using Axios or Fetch.
  • Secure integrations typically use Spring Security with JWT and centralized Axios interceptors.
  • Enable CORS whenever the frontend and backend run on different origins.
  • Production deployments commonly separate React (Nginx/CDN) and Spring Boot (Docker/Kubernetes), though a single JAR deployment is also common.
  • Enterprise applications prioritize pagination, caching, centralized error handling, and secure authentication using HttpOnly cookies where appropriate.