REST in Practice
REST is an architectural style for resource-oriented communication over HTTP. A RESTful API exposes resources through predictable URLs and uses HTTP methods to express actions.
| Method | Typical Meaning |
|---|---|
| GET | Read a resource |
| POST | Create or trigger processing |
| PUT | Replace a resource |
| PATCH | Partially update a resource |
| DELETE | Remove a resource |
Common HTTP Codes
| Code | Meaning |
|---|---|
| 200 | OK |
| 201 | Created |
| 202 | Accepted |
| 400 | Bad request |
| 401 | Unauthenticated |
| 403 | Authenticated but forbidden |
| 404 | Resource not found |
| 405 | Method not allowed |
| 500 | Internal server error |
| 502 | Bad gateway |
| 503 | Service unavailable |
Spring Boot Mapping
@RestController combines controller behavior with JSON response serialization. @GetMapping, @PostMapping, and related annotations map HTTP routes to Java methods.
Interview Scenario Practice
Scenario 1: 400 vs 404
Scenario: A client calls /customers/not-an-email and the API cannot parse the identifier.
Strong answer: Return 400 Bad Request when the request format or input is invalid. Return 404 Not Found when the request is valid but the resource does not exist.
Why it works: The status code tells the client whether to fix the request or treat the resource as absent.
Common mistake: Returning 500 for validation errors. That makes a client-side problem look like a server outage.
Scenario 2: POST vs PUT
Scenario: You need an endpoint to create a new order, but the server generates the order ID.
Strong answer: Use POST /orders. The server creates a new resource and commonly returns 201 Created.
Why it works: POST is appropriate when the server owns creation and the final resource identifier.
Common mistake: Using GET for creation because it is easy to test in the browser. GET should be safe and should not create state.
Scenario 3: Unauthorized vs Forbidden
Scenario: A logged-in user tries to access an admin-only endpoint.
Strong answer: Return 403 Forbidden. The user is authenticated but does not have permission.
Why it works: 401 means authentication is missing or invalid; 403 means identity is known but access is denied.
Common mistake: Using 401 and 403 interchangeably.