Spring Boot 4.1.0 Released: gRPC Auto‑Config, SSRF‑Safe HTTP Client, Lazy JDBC, @RedisListener and OpenTelemetry Enhancements

Spring Boot 4.1.0, launched on June 10, 2026, adds built‑in gRPC server/client auto‑configuration, an InetAddressFilter to block SSRF attacks, lazy JDBC connection fetching, automatic @RedisListener registration, unified Jackson settings, OpenTelemetry improvements and several other developer‑experience upgrades, all illustrated with runnable demos and migration tips.

java1234
java1234
java1234
Spring Boot 4.1.0 Released: gRPC Auto‑Config, SSRF‑Safe HTTP Client, Lazy JDBC, @RedisListener and OpenTelemetry Enhancements

Spring Boot 4.1.0 was officially released on 2026‑06‑10. The update targets developers who still manually configure gRPC, worry about HTTP client SSRF, or write extensive Redis listener setups, promising a ten‑minute upgrade walk‑through.

Spring Boot 4.1.0 banner
Spring Boot 4.1.0 banner

What’s new in Spring Boot 4.1.0?

The official blog summarizes the release as “write better, safer, more observable.” Key directions and representative features are:

Microservice communication : built‑in gRPC server/client auto‑configuration.

Security hardening : HTTP client InetAddressFilter for SSRF protection.

Performance optimization : lazy JDBC connection fetching.

Developer experience : automatic @RedisListener registration and unified Jackson configuration.

Operations observability : enhanced OpenTelemetry support and additional process info in the /actuator/info endpoint.

1. Official gRPC support – no more custom starters

Previously, using gRPC in Spring Boot required third‑party starters with manual version alignment, interceptors, and health checks. Starting with 4.1, Spring provides the starter spring-boot-starter-grpc-server that automatically starts a gRPC server on port 9090.

Step 1: Add the dependency

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-grpc-server</artifactId>
</dependency>

Step 2: Write a Hello service

import io.grpc.stub.StreamObserver;
import org.springframework.grpc.server.service.GrpcService;

@GrpcService
public class HelloService extends HelloWorldGrpc.HelloWorldImplBase {
    @Override
    public void sayHello(HelloRequest request, StreamObserver<HelloReply> responseObserver) {
        String message = "你好," + request.getName() + "!欢迎体验 Spring Boot 4.1 的 gRPC!";
        HelloReply reply = HelloReply.newBuilder().setMessage(message).build();
        responseObserver.onNext(reply);
        responseObserver.onCompleted();
    }
}

Step 3: Start the application

@SpringBootApplication
public class DemoApplication {
    public static void main(String[] args) {
        SpringApplication.run(DemoApplication.class, args);
    }
}

With these few lines, the gRPC service registers automatically. The starter also provides @GrpcAdvice for global exception handling and a Micrometer‑integrated tracing interceptor.

2. HTTP client SSRF protection

SSRF (Server‑Side Request Forgery) allows an attacker to make the server request internal addresses such as http://127.0.0.1. Spring Boot 4.1 introduces InetAddressFilter to restrict outbound requests.

Option A – Allow only public addresses

import org.springframework.boot.http.client.HttpClientSettings;
import org.springframework.boot.http.client.InetAddressFilter;
import org.springframework.http.client.ClientHttpRequestFactory;
import org.springframework.stereotype.Service;
import org.springframework.web.client.RestClient;

@Service
public class SafeApiClient {
    private final RestClient restClient;

    public SafeApiClient() {
        // Reject all private IPs
        InetAddressFilter filter = InetAddressFilter.externalAddresses();
        HttpClientSettings settings = HttpClientSettings.defaults().withInetAddressFilter(filter);
        ClientHttpRequestFactory factory = ClientHttpRequestFactoryBuilder.jdk().build(settings);
        this.restClient = RestClient.builder()
                .requestFactory(factory)
                .baseUrl("https://api.example.com")
                .build();
    }

    public String fetchData(String path) {
        return restClient.get().uri(path).retrieve().body(String.class);
    }
}

Option B – Bean with whitelist + blacklist

import org.springframework.boot.http.client.InetAddressFilter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class HttpSecurityConfig {
    @Bean
    public InetAddressFilter httpClientInetAddressFilter() {
        // Allow 192.168.1.0/24 but exclude .1 and .10
        return InetAddressFilter.of("192.168.1.0/24")
                .andNot("192.168.1.1", "192.168.1.10");
    }
}

For services that construct outbound URLs from user input, adding this filter is strongly recommended to prevent SSRF vulnerabilities.

3. Lazy JDBC connection fetching

When a method is annotated with @Transactional, Spring traditionally borrows a connection from the pool immediately, even if no SQL is executed. Version 4.1 adds the property spring.datasource.connection-fetch with values eager (default) and lazy. Setting it to lazy defers the physical connection until the first SQL statement runs.

spring:
  datasource:
    url: jdbc:mysql://localhost:3306/db_demo
    username: root
    password: 123456
    connection-fetch: lazy  # optional values: eager (default), lazy

Example comparison (pseudo‑code):

@Service
public class OrderService {
    @Transactional
    public void processOrder(Long orderId) {
        // eager mode: connection borrowed at method entry
        // lazy mode: connection not borrowed until SQL execution
        if (orderId == null) {
            return; // lazy mode: connection never used
        }
        orderRepository.findById(orderId); // connection fetched here
    }
}

This switch is useful for transactional methods that may return early without accessing the database.

4. @RedisListener auto‑configuration

Previously, using Spring Data Redis for message listening required manual configuration of a RedisMessageListenerContainer. Spring Boot 4.1 automatically registers a default container when Redis is on the classpath and no custom container is defined. Developers only need to annotate methods with @RedisListener.

Demo: Listen to an order‑cancel channel

import org.springframework.data.redis.connection.Message;
import org.springframework.data.redis.connection.MessageListener;
import org.springframework.data.redis.listener.adapter.MessageListenerAdapter;
import org.springframework.stereotype.Component;

@Component
public class OrderEventListener {
    @RedisListener(topics = "order:cancel")
    public void onOrderCancel(String message) {
        System.out.println("收到订单取消消息:" + message);
        // perform stock rollback, notify user, etc.
    }
}

Optional configuration (defaults to enabled):

spring:
  data:
    redis:
      host: localhost
      port: 6379
      listener:
        enabled: true  # default

The starter spring-boot-starter-data-redis now also pulls in spring-messaging automatically.

5. Observability upgrades – OpenTelemetry

OpenTelemetry support is enhanced with easier configuration. Common settings include:

management:
  opentelemetry:
    enabled: true
    tracing:
      sampler: parentbased_always_on
      limits:
        max-attributes: 128
    logging:
      limits:
        max-attributes: 128
  otlp:
    metrics:
      export:
        compression-mode: gzip

The @Async annotation now propagates tracing context to asynchronous threads, enabling end‑to‑end traceability.

Visiting /actuator/info now shows additional process information such as uptime, start time, timezone, locale and working directory, reducing the number of questions ops teams need to ask.

6. Other noteworthy improvements

Unified Jackson read/write configuration (unknown‑properties fail, pretty‑print output).

Configuration file import can specify encoding, e.g., classpath:import.properties[encoding=utf-8].

Spring Batch now supports MongoDB via the starter spring-boot-batch-data-mongo.

Log4j log rotation supports size, time and Cron‑expression based policies.

Kotlin baseline upgraded to 2.3, with Java 25 compatibility.

7. Upgrade checklist

APIs deprecated in 4.0 have been removed – scan for compilation warnings.

Apache Derby integration is removed – migrate to H2 or HSQL.

The Maven flag -DskipTests no longer skips AOT processing; use -Dmaven.test.skip=true instead.

If you used the third‑party spring‑grpc‑starter version 1.0, follow the official migration guide.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Backend DevelopmentgrpcOpenTelemetrySpring Bootspring-boot-4.1lazy-jdbcssrf-protectionredislistener
java1234
Written by

java1234

Former senior programmer at a Fortune Global 500 company, dedicated to sharing Java expertise. Visit Feng's site: Java Knowledge Sharing, www.java1234.com

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.