Spring Boot 4.1: gRPC, Security, and Kotlin Boosts

Spring Boot 4.1: Elevating Performance and Security

Spring Boot 4.1's release is a solid incremental update, focusing on developer productivity and security. The introduction of gRPC auto-configuration is a particularly strong move, democratizing the use of this high-performance RPC framework within the Spring ecosystem. This eliminates a significant barrier to entry for developers who previously had to manage complex manual configurations or rely on less maintained third-party starters. The SSRF mitigation is a critical security enhancement, addressing a prevalent vulnerability that can have severe consequences for applications exposed to external networks. By providing a built-in mechanism for blocking malicious outbound requests, Spring Boot 4.1 significantly improves the security posture of applications. Lazy data source connections and asynchronous context propagation for @Async methods are welcome additions that directly address performance concerns, particularly for large or high-traffic applications, leading to faster startup times and reduced resource pressure. The move to Kotlin 2.3 support also aligns with the broader Java ecosystem's embrace of Kotlin, ensuring continued compatibility and access to new language features.

However, the delay in release, though minor, might raise some eyebrows given Spring Boot's usual predictability. While Spring Boot 4.0 was a major generational leap, 4.1 is more evolutionary. This is not inherently negative, as stable, iterative improvements are valuable. Nevertheless, developers anticipating more radical changes might find this release to be more of a refinement than a revolution. The deprecation of Apache Derby support, while understandable given the project's retirement, means users still relying on it will need to migrate. The removal of the layertools JAR mode, while replaced by tools mode, still represents a change that developers will need to adapt to. The requirement for Java 21 for jOOQ 3.20 integration, while not a hard requirement for Spring Boot 4.1 itself, could necessitate a JDK upgrade for some users wanting to leverage this specific feature, potentially adding to the adoption effort for certain use cases. Overall, the benefits of enhanced gRPC integration, improved security, and performance optimizations outweigh these minor concerns for the vast majority of Spring Boot users.

Key Points

• Spring Boot 4.1 released on June 10, 2026, with key features including gRPC auto-configuration, SSRF mitigation, and Kotlin 2.3 support.
• gRPC auto-configuration simplifies the integration of gRPC for both server and client applications, supporting Netty and Servlet HTTP/2 transports, and includes @GrpcAdvice for centralized exception handling.
• HTTP client SSRF mitigation is introduced via an InetAddressFilter to block outbound requests to configured address ranges, enhancing application security.
• Performance improvements include lazy datasource connections, deferring physical connection until SQL execution, and asynchronous context propagation for @Async methods to maintain trace IDs and spans across threads.
• Kotlin baseline upgraded to 2.3, which supports Java 25 and an experimental unused return value checker.
• OpenTelemetry support is enhanced with a new enabled property, OTLP exemplar support, SSL bundles for exporters, and improved environment variable reading.
• Other notable changes include auto-configuration for Spring Data Redis listener endpoints, new fields in /actuator/info's ProcessInfo, configurable Jackson properties, and changes to the Maven plugin's AOT processing for tests.
• Deprecations include Apache Derby support, Dynatrace V1 API properties, and DevTools LiveReload, while new deprecations are introduced for these areas.

---

📖 Source: Spring Boot 4.1 Adds gRPC Auto-Configuration, SSRF Mitigation, and Kotlin 2.3 Support