Spring Boot 4.1.0: Deep Dive into 8 Must‑Know Production Features

Release overview

Spring Boot 4.1.0 was released on 2026‑06‑10. It is positioned as an incremental, production‑grade update that builds on Spring Framework 7.0.x and fills the gaps left by the 4.0 release.

Key features

gRPC official support

Spring Boot 4.1 introduces three starter modules that make gRPC a first‑class citizen: spring-boot-starter-grpc-server – automatic server configuration spring-boot-starter-grpc-client – automatic client configuration spring-boot-starter-batch-mongodb – Spring Batch + MongoDB support

Server configuration example

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-grpc-server</artifactId>
</dependency>

@GrpcService
public class GreetingServiceImpl extends GreetingServiceGrpc.GreetingServiceImplBase {
    @Override
    public void sayHello(HelloRequest request, StreamObserver<HelloReply> responseObserver) {
        String message = "Hello, " + request.getName() + "!";
        HelloReply reply = HelloReply.newBuilder().setMessage(message).build();
        responseObserver.onNext(reply);
        responseObserver.onCompleted();
    }
}

spring:
  grpc:
    server:
      port: 9090 # default 9090
      transport: netty # netty or servlet

Client configuration example

@GrpcClient("my-grpc-service")
private GreetingServiceGrpc.GreetingServiceBlockingStub greetingClient;

public String callGreeting(String name) {
    HelloRequest request = HelloRequest.newBuilder().setName(name).build();
    HelloReply reply = greetingClient.sayHello(request);
    return reply.getMessage();
}

Exception handling with @GrpcAdvice

@GrpcAdvice
public class GlobalGrpcExceptionHandler {
    @GrpcExceptionHandler(IllegalArgumentException.class)
    public StatusRuntimeException handleIllegalArgument(IllegalArgumentException e) {
        return Status.INVALID_ARGUMENT.withDescription(e.getMessage()).asRuntimeException();
    }
}

The server automatically registers an ObservationGrpcServerInterceptor that collects metrics and tracing data for each gRPC call.

HTTP client SSRF protection

Spring Boot 4.1 adds a framework‑level SSRF filter based on InetAddressFilter. The filter resolves the target hostname, checks the IP against an allow‑list, rejects black‑listed IPs (private ranges, loopback) and blocks redirects to malicious addresses.

Configuration

spring:
  http:
    client:
      ssrf:
        enabled: true
        deny-ip-subnets:
          - 10.0.0.0/8
          - 172.16.0.0/12
          - 192.168.0.0/16
          - 127.0.0.0/8
        allow-ip-subnets:
          - 192.168.1.0/24

Allow‑list is evaluated first; any IP not explicitly allowed is blocked.

Usage example

@RestController
public class ProxyController {
    @Autowired
    private RestClient restClient; // SSRF protection applied automatically

    @GetMapping("/fetch")
    public String fetchUrl(@RequestParam String url) {
        // Internal URLs are automatically rejected
        return restClient.get().uri(url).retrieve().body(String.class);
    }
}

Observability enhancements (OpenTelemetry)

OTLP exporter can be configured via standard environment variables or application.yml:

# application.yml
spring:
  telemetry:
    otlp:
      exporter:
        endpoint: http://otel-collector:4318
        timeout: 10s

# environment variables (recommended)
export OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4318
export OTEL_EXPORTER_OTLP_TIMEOUT=10000

The /actuator/info endpoint now returns richer process information, e.g.:

{
  "process": {
    "uptime": 3600000,
    "startTime": "2026-06-10T10:00:00Z",
    "currentTime": "2026-06-10T11:00:00Z",
    "timezone": "Asia/Shanghai",
    "locale": "zh_CN",
    "workingDir": "/app"
  }
}

Automatic observation beans for RabbitMQ and Kafka can be enabled:

spring:
  rabbitmq:
    observation:
      enabled: true
  kafka:
    observation:
      enabled: true

Data‑access layer upgrades

Lazy datasource connection – enable LazyConnectionDataSourceProxy so the JDBC connection is created only on first use:

spring:
  datasource:
    lazy: true # enable lazy connection

This reduces startup time, especially when many microservices start simultaneously.

Async context propagation – the @Async infrastructure now propagates security, transaction and other contextual data to the asynchronous thread.

Jackson configuration enhancements – finer‑grained control over JSON serialization and custom module registration.

Derby deprecation – Apache Derby integration is marked deprecated. Projects using embedded Derby for tests should migrate to H2 or HSQL:

DatabaseDriver.DERBY
EmbeddedDatabaseConnection.DERBY

Build‑tool chain improvements

Maven layers optimization – more granular Docker image layers improve cache reuse.

Gradle build‑info enhancements – the bootBuildImage task now accepts environment variables directly from the command line.

Configuration import charset support – specify character set when importing external configuration files:

spring:
  config:
    import: "file:./config/application-utf8.yml?charset=UTF-8"

Log4j2 file‑rotation support

Native Log4j2 file‑rotation can be configured via application.yml without a custom log4j2.xml:

logging:
  log4j2:
    file:
      rotation:
        strategy: size
        max-size: 100MB
        max-history: 30
        compression: gz

Kotlin 2.3 support

Spring Boot 4.1 upgrades its Kotlin compatibility to version 2.3, allowing developers to use the latest language features out of the box.

Dependency ecosystem refresh

Spring Security 7.1.0

Spring Data 2025.1.6

Project Reactor 2025.0.6

Jackson 3.1.4

Testcontainers 2.0.5

Spring gRPC 1.1.0

Breaking‑change checklist before upgrading

Deprecated APIs from 4.0 are now removed – compile with -Xlint:deprecation and replace all warnings.

jOOQ is upgraded to 3.20 and requires Java 21+ – ensure CI and runtime JDK meet this requirement.

Derby is deprecated – migrate tests to H2 or HSQL.

RabbitMQ/AMQP changes are postponed to 4.2 – evaluate impact before migration.

mvn -DskipTests compile
# or
./gradlew compileJava

After compilation, verify that no @Deprecated warnings remain.

Pros, cons and suitable scenarios

gRPC official support – eliminates third‑party starters.

Security enhancements – built‑in SSRF protection.

Observability upgrades – OTLP standardization.

Startup performance – lazy datasource.

Operational experience – Log4j file rotation via YAML.

Ecosystem sync – Spring Security 7.1, Kotlin 2.3, etc.

Breaking changes – removal of 4.0 deprecated APIs.

jOOQ requirement – Java 21+.

Derby deprecation – need to switch embedded DB.

Release delay – version postponed from May to June.

Recommended scenarios

New projects starting with 4.x – strongly recommended; zero migration cost, full feature set.

Existing 4.0.x projects – recommended; incremental upgrade with high benefit, manageable risk.

gRPC‑based services – strongly recommended; official support, unified configuration and observability.

Security‑sensitive applications – strongly recommended; out‑of‑the‑box SSRF protection.

jOOQ users – needs assessment; must run on Java 21+.

Legacy 3.x applications – planning required; upgrade path: 3.x → 4.0 → 4.1.