Spring Boot 4.1.0 Released: gRPC Auto‑Config, SSRF‑Safe HTTP Client, Lazy JDBC, @RedisListener and OpenTelemetry Enhancements
Spring Boot 4.1.0, launched on June 10, 2026, adds built‑in gRPC server/client auto‑configuration, an InetAddressFilter to block SSRF attacks, lazy JDBC connection fetching, automatic @RedisListener registration, unified Jackson settings, OpenTelemetry improvements and several other developer‑experience upgrades, all illustrated with runnable demos and migration tips.
Spring Boot 4.1.0 was officially released on 2026‑06‑10. The update targets developers who still manually configure gRPC, worry about HTTP client SSRF, or write extensive Redis listener setups, promising a ten‑minute upgrade walk‑through.
What’s new in Spring Boot 4.1.0?
The official blog summarizes the release as “write better, safer, more observable.” Key directions and representative features are:
Microservice communication : built‑in gRPC server/client auto‑configuration.
Security hardening : HTTP client InetAddressFilter for SSRF protection.
Performance optimization : lazy JDBC connection fetching.
Developer experience : automatic @RedisListener registration and unified Jackson configuration.
Operations observability : enhanced OpenTelemetry support and additional process info in the /actuator/info endpoint.
1. Official gRPC support – no more custom starters
Previously, using gRPC in Spring Boot required third‑party starters with manual version alignment, interceptors, and health checks. Starting with 4.1, Spring provides the starter spring-boot-starter-grpc-server that automatically starts a gRPC server on port 9090.
Step 1: Add the dependency
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-grpc-server</artifactId>
</dependency>Step 2: Write a Hello service
import io.grpc.stub.StreamObserver;
import org.springframework.grpc.server.service.GrpcService;
@GrpcService
public class HelloService extends HelloWorldGrpc.HelloWorldImplBase {
@Override
public void sayHello(HelloRequest request, StreamObserver<HelloReply> responseObserver) {
String message = "你好," + request.getName() + "!欢迎体验 Spring Boot 4.1 的 gRPC!";
HelloReply reply = HelloReply.newBuilder().setMessage(message).build();
responseObserver.onNext(reply);
responseObserver.onCompleted();
}
}Step 3: Start the application
@SpringBootApplication
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
}With these few lines, the gRPC service registers automatically. The starter also provides @GrpcAdvice for global exception handling and a Micrometer‑integrated tracing interceptor.
2. HTTP client SSRF protection
SSRF (Server‑Side Request Forgery) allows an attacker to make the server request internal addresses such as http://127.0.0.1. Spring Boot 4.1 introduces InetAddressFilter to restrict outbound requests.
Option A – Allow only public addresses
import org.springframework.boot.http.client.HttpClientSettings;
import org.springframework.boot.http.client.InetAddressFilter;
import org.springframework.http.client.ClientHttpRequestFactory;
import org.springframework.stereotype.Service;
import org.springframework.web.client.RestClient;
@Service
public class SafeApiClient {
private final RestClient restClient;
public SafeApiClient() {
// Reject all private IPs
InetAddressFilter filter = InetAddressFilter.externalAddresses();
HttpClientSettings settings = HttpClientSettings.defaults().withInetAddressFilter(filter);
ClientHttpRequestFactory factory = ClientHttpRequestFactoryBuilder.jdk().build(settings);
this.restClient = RestClient.builder()
.requestFactory(factory)
.baseUrl("https://api.example.com")
.build();
}
public String fetchData(String path) {
return restClient.get().uri(path).retrieve().body(String.class);
}
}Option B – Bean with whitelist + blacklist
import org.springframework.boot.http.client.InetAddressFilter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class HttpSecurityConfig {
@Bean
public InetAddressFilter httpClientInetAddressFilter() {
// Allow 192.168.1.0/24 but exclude .1 and .10
return InetAddressFilter.of("192.168.1.0/24")
.andNot("192.168.1.1", "192.168.1.10");
}
}For services that construct outbound URLs from user input, adding this filter is strongly recommended to prevent SSRF vulnerabilities.
3. Lazy JDBC connection fetching
When a method is annotated with @Transactional, Spring traditionally borrows a connection from the pool immediately, even if no SQL is executed. Version 4.1 adds the property spring.datasource.connection-fetch with values eager (default) and lazy. Setting it to lazy defers the physical connection until the first SQL statement runs.
spring:
datasource:
url: jdbc:mysql://localhost:3306/db_demo
username: root
password: 123456
connection-fetch: lazy # optional values: eager (default), lazyExample comparison (pseudo‑code):
@Service
public class OrderService {
@Transactional
public void processOrder(Long orderId) {
// eager mode: connection borrowed at method entry
// lazy mode: connection not borrowed until SQL execution
if (orderId == null) {
return; // lazy mode: connection never used
}
orderRepository.findById(orderId); // connection fetched here
}
}This switch is useful for transactional methods that may return early without accessing the database.
4. @RedisListener auto‑configuration
Previously, using Spring Data Redis for message listening required manual configuration of a RedisMessageListenerContainer. Spring Boot 4.1 automatically registers a default container when Redis is on the classpath and no custom container is defined. Developers only need to annotate methods with @RedisListener.
Demo: Listen to an order‑cancel channel
import org.springframework.data.redis.connection.Message;
import org.springframework.data.redis.connection.MessageListener;
import org.springframework.data.redis.listener.adapter.MessageListenerAdapter;
import org.springframework.stereotype.Component;
@Component
public class OrderEventListener {
@RedisListener(topics = "order:cancel")
public void onOrderCancel(String message) {
System.out.println("收到订单取消消息:" + message);
// perform stock rollback, notify user, etc.
}
}Optional configuration (defaults to enabled):
spring:
data:
redis:
host: localhost
port: 6379
listener:
enabled: true # defaultThe starter spring-boot-starter-data-redis now also pulls in spring-messaging automatically.
5. Observability upgrades – OpenTelemetry
OpenTelemetry support is enhanced with easier configuration. Common settings include:
management:
opentelemetry:
enabled: true
tracing:
sampler: parentbased_always_on
limits:
max-attributes: 128
logging:
limits:
max-attributes: 128
otlp:
metrics:
export:
compression-mode: gzipThe @Async annotation now propagates tracing context to asynchronous threads, enabling end‑to‑end traceability.
Visiting /actuator/info now shows additional process information such as uptime, start time, timezone, locale and working directory, reducing the number of questions ops teams need to ask.
6. Other noteworthy improvements
Unified Jackson read/write configuration (unknown‑properties fail, pretty‑print output).
Configuration file import can specify encoding, e.g., classpath:import.properties[encoding=utf-8].
Spring Batch now supports MongoDB via the starter spring-boot-batch-data-mongo.
Log4j log rotation supports size, time and Cron‑expression based policies.
Kotlin baseline upgraded to 2.3, with Java 25 compatibility.
7. Upgrade checklist
APIs deprecated in 4.0 have been removed – scan for compilation warnings.
Apache Derby integration is removed – migrate to H2 or HSQL.
The Maven flag -DskipTests no longer skips AOT processing; use -Dmaven.test.skip=true instead.
If you used the third‑party spring‑grpc‑starter version 1.0, follow the official migration guide.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
java1234
Former senior programmer at a Fortune Global 500 company, dedicated to sharing Java expertise. Visit Feng's site: Java Knowledge Sharing, www.java1234.com
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
