Spring Boot 4.1.0 Released – 8 Core New Features Every Developer Should Know

Release Overview

On June 10, 2026, the Spring Boot team officially released version 4.1.0. The announcement sparked a lot of discussion in the Java community because the previous 4.0 release (November 2025) was a "generational upgrade" that introduced Jakarta EE 11, Jackson 3, JSpecify null‑safety, and Gradle 9 support. Spring Boot 4.1 is positioned as an incremental enhancement that fills the production‑grade gaps left by 4.0.

The following diagram shows the evolution of the Spring Boot 4.x family:

1. gRPC Official Support

Previously, using gRPC in Spring Boot required manual Netty server configuration, custom interceptors, or third‑party starters, which often led to cumbersome setup and maintenance. Spring Boot 4.1 introduces three new starters that make gRPC a first‑class citizen: spring-boot-starter-grpc-server – automatic server configuration spring-boot-starter-grpc-client – automatic client configuration spring-boot-starter-batch-mongodb – Spring Batch + MongoDB support

Example of adding the server starter:

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-grpc-server</artifactId>
</dependency>

Implementing a gRPC service becomes straightforward:

@GrpcService
public class GreetingServiceImpl extends GreetingServiceGrpc.GreetingServiceImplBase {
    @Override
    public void sayHello(HelloRequest request, StreamObserver<HelloReply> responseObserver) {
        String message = "Hello, " + request.getName() + "!";
        HelloReply reply = HelloReply.newBuilder().setMessage(message).build();
        responseObserver.onNext(reply);
        responseObserver.onCompleted();
    }
}

Configuration is minimal:

spring:
  grpc:
    server:
      port: 9090 # default gRPC port
      transport: netty # or servlet for HTTP/2 integration

Exception handling is unified with @GrpcAdvice:

@GrpcAdvice
public class GlobalGrpcExceptionHandler {
    @GrpcExceptionHandler(IllegalArgumentException.class)
    public StatusRuntimeException handleIllegalArgument(IllegalArgumentException e) {
        return Status.INVALID_ARGUMENT.withDescription(e.getMessage()).asRuntimeException();
    }
}

The framework also auto‑registers an ObservationGrpcServerInterceptor that collects metrics and tracing data for each gRPC call.

Supported transport modes are:

Standalone Netty – high‑performance pure gRPC

Servlet HTTP/2 – integrates with existing servlet containers

Service call graph example:

2. HTTP Client SSRF Protection

Server‑Side Request Forgery (SSRF) is a serious security risk that allows attackers to make the server request internal resources. Spring Boot 4.1 adds a built‑in SSRF defence based on InetAddressFilter:

When HttpClient resolves a target hostname, the IP address is obtained. InetAddressFilter checks whether the IP is on an allow‑list.

If the IP appears on a deny‑list (e.g., private ranges, loopback), the request is rejected.

This prevents redirection to malicious internal addresses.

Configuration is declarative in application.yml:

spring:
  http:
    client:
      ssrf:
        enabled: true
        deny-ip-subnets:
          - 10.0.0.0/8
          - 172.16.0.0/12
          - 192.168.0.0/16
          - 127.0.0.0/8
        allow-ip-subnets:
          - 192.168.1.0/24

When the filter is enabled, any outbound request to a black‑listed IP is automatically blocked. Example controller that benefits from the protection:

@RestController
public class ProxyController {
    @Autowired
    private RestClient restClient; // SSRF protection applied automatically

    @GetMapping("/fetch")
    public String fetchUrl(@RequestParam String url) {
        // If the URL points to an internal address, the request is rejected
        return restClient.get().uri(url).retrieve().body(String.class);
    }
}

3. Observability Enhancements

Spring Boot 4.1 aligns with the OpenTelemetry ecosystem by allowing OTLP exporter configuration through standard environment variables:

# application.yml
spring:
  telemetry:
    otlp:
      exporter:
        endpoint: http://otel-collector:4318
        timeout: 10s

# or via environment variables (recommended)
export OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4318
export OTEL_EXPORTER_OTLP_TIMEOUT=10000

The /actuator/info endpoint now returns richer process information such as uptime, start time, current time, timezone, locale, and working directory:

{
  "process": {
    "uptime": 3600000,
    "startTime": "2026-06-10T10:00:00Z",
    "currentTime": "2026-06-10T11:00:00Z",
    "timezone": "Asia/Shanghai",
    "locale": "zh_CN",
    "workingDir": "/app"
  }
}

Spring Boot also auto‑configures observation beans for Spring AMQP (RabbitMQ) and Spring Kafka, enabling out‑of‑the‑box metrics and tracing:

spring:
  rabbitmq:
    observation:
      enabled: true
  kafka:
    observation:
      enabled: true

4. Data‑Access Layer Improvements

Lazy datasource connections are now supported via LazyConnectionDataSourceProxy. The connection is deferred until the first actual use, which speeds up start‑up time for microservices:

spring:
  datasource:
    lazy: true # enable lazy connection

Result: applications start noticeably faster because the connection pool is not fully initialized at launch.

The @Async infrastructure has been enhanced to propagate security, transaction, and other contextual information across asynchronous boundaries.

Jackson 3.1.4 brings finer‑grained JSON serialization configuration, and the previously bundled Apache Derby integration is now deprecated. Projects using Derby are advised to migrate to H2 or HSQL.

5. Build‑Toolchain Optimizations

Maven layers have been refined to produce more granular Docker image layers, improving build cache reuse:

# Example Maven plugin configuration (layers are now more fine‑grained)

Gradle’s bootBuildImage now supports environment‑variable based configuration, and the spring.config.import property can specify character‑set encoding for imported configuration files:

spring:
  config:
    import: "file:./config/application-utf8.yml?charset=UTF-8"

6. Log4j File‑Rotation Support

Log4j 2 can now be configured for file rotation directly in application.yml, eliminating the need for a separate log4j2.xml file:

logging:
  log4j2:
    file:
      rotation:
        strategy: size
        max-size: 100MB
        max-history: 30
        compression: gz

7. Kotlin 2.3 Support

Spring Boot 4.1 upgrades its Kotlin support to version 2.3, allowing developers to use the latest language features without additional configuration.

8. Dependency Ecosystem Updates

Spring Security 7.1.0

Spring Data 2025.1.6

Project Reactor 2025.0.6

Jackson 3.1.4

Testcontainers 2.0.5

Spring gRPC 1.1.0

Breaking‑Change Checklist

APIs marked @Deprecated in 4.0 are now removed; clean them before upgrading.

jOOQ is upgraded to 3.20 and requires Java 21 or newer.

Derby integration is deprecated; migrate to H2/HSQL for embedded testing.

RabbitMQ/AMQP changes are postponed to 4.2; evaluate carefully before migration.

Pros, Cons, and Recommended Scenarios

Pros: Official gRPC support, built‑in SSRF protection, standardized OTLP observability, lazy datasource for faster start‑up, simplified Log4j configuration, Kotlin 2.3, ecosystem alignment.

Cons: Breaking changes require code cleanup; jOOQ users must upgrade JDK; Derby removal may affect tests.

Recommended adoption scenarios:

New projects – start with 4.1 to get all features out of the box.

Existing 4.0.x projects – incremental upgrade provides high benefit with manageable risk.

gRPC‑based services – strong recommendation to migrate to the official starters.

Security‑sensitive applications – enable SSRF protection immediately.

jOOQ users – verify Java 21+ before upgrading.

Conclusion

Spring Boot 4.1.0 is not a "rewrite" but a comprehensive polishing of the 4.0 release, delivering production‑grade capabilities that address real‑world pain points: official gRPC integration, framework‑level SSRF defence, OpenTelemetry‑aligned observability, start‑up performance gains, and smoother operational configuration. Teams already on 4.0 should plan an upgrade, while newcomers should consider starting directly with 4.1.