Spring News Roundup: Milestone Releases of Boot, Security, Auth Server, Integration, AI and AMQP

There was a flurry of activity in the Spring ecosystem during the week of February 17th, 2025, highlighting milestone releases of: Spring Boot, Spring Security, Spring Authorization Server, Spring Integration, Spring AI and Spring AMQP.

Many of these releases are included in Spring Boot 3.5.0-M2, 3.4.3 and 3.3.9.

Spring Boot

The second milestone release of Spring Boot 3.5.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: the ability to trigger a Quartz job on-demand via an actuator endpoint; and support for Prometheus Client by updating the PrometheusPushGatewayManager class. More details on this release may be found in the release notes.

Similarly, versions 3.4.3 and 3.3.9 of Spring Boot have been released (announced here and here, respectively) featuring bug fixes, improvements in documentation, dependency upgrades and the addition of TWENTY_FOUR to the JavaVersion enum class. Further details on these releases may be found in the release notes for version 3.4.3 and version 3.3.9.

Spring Security

The second milestone release of Spring Security 6.5.0 delivers bug fixes, dependency upgrades and new features such as: a new HttpStatusAccessDeniedHandler class that sets an HTTP status code as a response; and new interfaces, GenerateOneTimeTokenRequestResolver and ServerGenerateOneTimeTokenRequestResolver, strategies for resolving an instance of the GenerateOneTimeTokenRequest class from the Jakarta Servlet HttpServletRequest and a Spring Framework ServerWebExchange interfaces, respectively. More details on this release may be found in the release notes.

Similarly, versions 6.4.3 and 6.3.7 of Spring Security have also been released with bug fixes, dependency upgrades and new features: a refactor of the s101 Gradle task is now dependent upon the assemble task instead of the check task for improved stability; and the addition of the disableDefaultRegistrationPage boolean field to the WebAuthnDsl class to disable a default WebAuthn registration page. Further details on these releases may be found in the release notes for version 6.4.3 and version 6.3.7.

Spring Authorization Server

The first milestone release of Spring Authorization Server 1.5.0 ships with dependency upgrades and support for Internet Engineering Task Force (IETF) RFC 9449, OAuth 2.0 Demonstrating Proof of Possession (DPoP), a mechanism for "sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level." More details on this release may be found in the release notes.

Similarly, versions 1.4.2 and 1.3.5 of Spring Authorization Server have also been released with bug fixes, dependency upgrades and new features in version 1.4.2 that include: the addition of the Java @Override annotation to the many OAuth2, OIDC and JWT-related classes; and a replacement of the deprecated fromHttpUrl() method, defined in the Spring Framework UriComponentsBuilder class, with the preferred fromUriString() method in the AuthorizationServerContextFilter class. Further details on these releases may be found in the release notes for version 1.4.2 and version 1.3.5.

Spring for GraphQL

The release of Spring for GraphQL 1.3.4 ships with bug fixes, improvements in documentation, dependency upgrades and new features such as: implementations of the Spring Framework WebSocketHandler interface now log unhandled errors; and the authorization key lookup in the BearerTokenAuthenticationExtractor class should be case insensitive. More details on this release may be found in the release notes.

Spring Session

Versions 3.4.2 and 3.3.6 of Spring Session have been released featuring notable dependency upgrades such as: Spring Boot 3.3.8, Spring Framework 6.2.3 and Project Reactor 2023.0.15. Further details on these releases may be found in the release notes for version 3.4.2 and version 3.3.6.

Spring Integration

The second milestone release of Spring Integration 6.5.0 delivers bug fixes, dependency upgrades and new features that include: an instance of the StreamTransformer class must remove a CLOSEABLE_RESOURCE header, defined in the IntegrationMessageHeaderAccessor class, from the output message once the resource has been closed; and inbound channel adapters for Apache Kafka now generate ID and TIMESTAMP headers, defined in the Spring Framework MessageHeaders class, by default for consistency with the rest of similar channel adapters in Spring Integration. More details on this release may be found in the release notes.

Similarly, versions 6.4.2 and 6.3.8 of Spring Integration have been released featuring dependency upgrades and resolutions to notable issues such as: use of the taskScheduler() method, defined in the DelayerEndpointSpec class, that doesn't allow to specify a custom task scheduler; and an instance of the SftpInboundFileSynchronizer fails to synchronize files if the directory path is a symbolic link. Further details on this release may be found in the release notes for version 6.4.2 and version 6.3.8.

Spring AI

The sixth milestone release of Spring AI 1.0.0 focuses on a continued "review of the codebase from a design perspective." New features include: the ability to declaratively, programmatically and functionally define tools with new annotations, @Tool and @ToolParam, and new classes, MethodToolCallback and FunctionToolCallback; integration of the new Model Context Protocol Java SDK; and enhancements to the Vector Store API. More details on this release, including breaking changes, may be found in the upgrade notes.

Spring AMQP

The first milestone release of Spring AMQP 4.0.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: a full null-safety migration using JSpecify and NullAway; and improvements to the AbstractMessageListenerContainer class that changes the getMessageAckListener() from protected to public (for consistency with the corresponding setMessageAckListener() method) and the addition of a missing getErrorHandler() method. Further details on this release may be found in the release notes.

Similarly, versions 3.2.3 and 3.1.9 of Spring AMQP have also been released providing bug fixes, dependency upgrades and a backport of the improvements to the aforementioned AbstractMessageListenerContainer class. More details on this release may be found in the release notes for version 3.2.3 and version 3.1.9.

Spring for Apache Kafka

Versions 3.3.3 and 3.2.7 of Spring for Apache Kafka have been released providing bug fixes, dependency upgrades and an optimization of the MessagingMessageListenerAdapter class that was returning null from the invoke() method defined in the DelegatingInvocableHandler class. Further details on these releases may be found in the release notes for version 3.3.3 and version 3.2.7.

Spring for Apache Pulsar

Versions 1.2.3 and 1.1.9 of Spring for Apache Pulsar have been released featuring respective dependency upgrades to Spring Framework 6.2.3 and 6.1.17, Micrometer 1.14.4 and 1.13.11, Micrometer Tracing 1.4.3 and 1.3.9 and Project Reactor 2024.0.3 and 2023.0.15. More details on these releases may be found in the release notes for version 1.2.3 and version 1.1.9.