Spring Boot 4.1.0 Released: Production‑Ready Features You Should Know

gRPC finally gets official Spring Boot support

The most notable addition in 4.1.0 is built‑in gRPC auto‑configuration. Previously developers had to rely on third‑party starters or manually configure servers, channels, interceptors, and exception handling, which often led to fragmented setups and difficult debugging. With the new support, you simply register a gRPC service as a Spring bean ( BindableService) and let Boot wire it to the server.

import io.grpc.stub.StreamObserver;
import org.springframework.grpc.server.service.GrpcService;

@GrpcService
public class UserGrpcService extends UserServiceGrpc.UserServiceImplBase {
    @Override
    public void getUser(UserRequest request, StreamObserver<UserResponse> responseObserver) {
        // Normal service/repository call, keep business logic out of gRPC layer
        UserResponse response = UserResponse.newBuilder()
                .setId(request.getId())
                .setName("鹏磊")
                .build();
        responseObserver.onNext(response);
        responseObserver.onCompleted();
    }
}

Configuration follows the usual Boot style:

spring:
  grpc:
    server:
      port: 9090

This eliminates the need for each project to reinvent gRPC infrastructure and integrates exception handling and metrics with the Spring ecosystem. A new @GrpcAdvice annotation mirrors @ControllerAdvice for unified error handling, allowing conversion of business exceptions to standard gRPC status codes.

import io.grpc.Status;
import org.springframework.grpc.server.exception.GrpcExceptionHandler;
import org.springframework.grpc.server.exception.GrpcExceptionHandlerAdvice;

@GrpcExceptionHandlerAdvice
class GlobalGrpcExceptionHandler {
    @GrpcExceptionHandler(IllegalArgumentException.class)
    Status handleBadRequest(IllegalArgumentException ex) {
        // Convert business exception to a gRPC status code
        return Status.INVALID_ARGUMENT.withDescription(ex.getMessage());
    }
}

Unified error semantics are crucial in micro‑service environments where gRPC is used for inter‑service communication.

SSRF protection now covers outbound requests

Spring Boot 4.1.0 introduces InetAddressFilter for HTTP client outbound address filtering. This protects against Server‑Side Request Forgery where a user‑supplied URL could point to internal networks, cloud metadata services, or localhost.

import java.net.InetAddress;
import java.util.Set;
import org.springframework.context.annotation.Bean;
import org.springframework.web.client.RestClient;
import org.springframework.web.client.support.RestClientAdapter;

@Configuration
class HttpClientSecurityConfig {
    @Bean
    RestClient restClient(RestClient.Builder builder) {
        return builder
                .requestInterceptor((request, body, execution) -> {
                    String host = request.getURI().getHost();
                    InetAddress address = InetAddress.getByName(host);
                    // Block loopback, site‑local, and link‑local addresses
                    if (address.isLoopbackAddress() || address.isSiteLocalAddress() || address.isLinkLocalAddress()) {
                        throw new IllegalArgumentException("Blocked internal address: " + host);
                    }
                    return execution.execute(request, body);
                })
                .build();
    }
}

This demonstrates the intent: outbound HTTP calls are no longer unrestricted, a vital safeguard as applications increasingly fetch webhooks, remote files, or AI‑generated URLs.

Lazy‑loading JDBC connections to avoid unnecessary pool usage

Boot 4.1.0 adds the property spring.datasource.connection-fetch (set to lazy) which wraps the auto‑configured DataSource with LazyConnectionDataSourceProxy. Physical connections are only obtained when a SQL statement is actually executed.

spring:
  datasource:
    # Lazy means a connection is not taken at transaction start, only when JDBC is used
    connection-fetch: lazy

Example service:

@Service
class OrderService {
    private final OrderRepository orderRepository;
    private final CacheService cacheService;

    @Transactional(readOnly = true)
    public OrderDetail queryOrder(String orderId) {
        // Cache hit avoids taking a JDBC connection under lazy mode
        OrderDetail cached = cacheService.get(orderId);
        if (cached != null) {
            return cached;
        }
        // Real DB access only when needed
        return orderRepository.findDetail(orderId);
    }
}

In high‑concurrency systems, reducing unnecessary connection acquisition lessens pool contention and improves stability.

OpenTelemetry enhancements for better observability

Boot continues to embed observability deeper. The new configuration enables OTLP export and full‑stack tracing across HTTP, gRPC, messaging, and databases.

management:
  tracing:
    sampling:
      probability: 1.0
  otlp:
    endpoint: http://localhost:4318/v1/traces
    timeout: 10s

Application code can now wrap business logic in an observation to appear in traces:

import io.micrometer.observation.Observation;
import io.micrometer.observation.ObservationRegistry;

@Service
class PaymentService {
    private final ObservationRegistry observationRegistry;

    public void pay(String orderId) {
        Observation.createNotStarted("payment.process", observationRegistry)
                .lowCardinalityKeyValue("biz", "payment")
                .observe(() -> doPay(orderId));
    }

    private void doPay(String orderId) {
        // payment logic, message publishing, etc.
    }
}

With gRPC support and the observation interceptor, both HTTP and gRPC calls are captured in a unified trace, simplifying debugging of mixed‑protocol microservices.

Jackson 3 configuration updates

Spring Boot 4 moves to Jackson 3 (package tools.jackson instead of com.fasterxml.jackson). Configuration properties and customizations have changed, so projects must adjust their ObjectMapper beans.

@Configuration
class JacksonConfig {
    @Bean
    ObjectMapper objectMapper(ObjectMapper.Builder builder) {
        // Ignore unknown fields to avoid breaking when third‑party APIs add new properties
        return builder.disable(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES)
                      .build();
    }
}

Upgrading projects should add serialization tests for request/response DTOs to catch changes in date formats, enum handling, or null‑value behavior.

Should you upgrade now?

Spring Boot 4.1.0 is not a mandatory “upgrade tonight” release. If you are still on Spring Boot 2.x or using Java 8/11, upgrade incrementally: first move to Java 17, then to Jakarta EE 11, Spring Framework 7, and finally Jackson 3. For projects already on 4.0.x, 4.1.0 is worth evaluating because it strengthens production capabilities without altering the overall programming model.

Key scenarios that benefit most are:

Microservices that already use gRPC.

Applications that accept webhook URLs or perform outbound HTTP calls (AI tools, remote file fetches).

Systems where the database connection pool is frequently saturated.

Services that are consolidating tracing, metrics, and logs.

Overall, Spring Boot 4.1.0 does not introduce flashy new syntax but quietly incorporates many repetitive, error‑prone configurations into the framework, reducing boilerplate and improving reliability.