Category Archives: Spring

Spring Data JPA 3 to 4 Migration Guide: Query Derivation Changes, the hibernate-processor Coordinate Swap, and Value-Objects

When I upgraded a service from Spring Boot 3 to 4, the framework and web-layer changes got all the attention — but the part that actually cost me an afternoon was the repository layer. Spring Boot 4 pulls in the Spring Data 2025.1 generation (Spring Data JPA 4.0), and that carries three changes that don’t show up in a casual read of the release notes: an annotation-processor coordinate that was renamed out from under you, a complete rewrite of how derived queries are generated, and a much friendlier story for modelling value objects. None of these are loud failures. Two of them compile cleanly and then misbehave, which is the worst kind.

This guide walks the whole repository-layer migration beginner to advanced, on a real Spring Boot 4.1.0 project running Spring Data JPA 4.0, Hibernate 7.1, and Java 25. We start with how to confirm which Spring Data generation you’re actually on, then the hibernate-processor coordinate swap and the silent metamodel failure it causes, then the CriteriaQuery-to-JPQL rewrite of derived queries and its one real behavioural edge, then value objects — records as embeddables and as projections — and finally the removals that will fail your build outright. Every error message below is the real one, not a paraphrase.

Continue reading Spring Data JPA 3 to 4 Migration Guide: Query Derivation Changes, the hibernate-processor Coordinate Swap, and Value-Objects

Surviving the AI Vulnerability Wave: How to Automate Spring Boot Dependency Patches

Something changed in the Spring ecosystem over the last year. AI-powered vulnerability scanners now watch the CVE feeds, the Spring Security advisories, and the transitive dependency graphs of public repositories continuously — and they file patch requests the moment a fixable version lands. A single Spring Boot service pulls in 150–300 transitive dependencies, each an independent source of CVEs, so across a fleet the number of safe, boring, necessary bumps per week now exceeds what any human can hand-review. Manual upgrades, one POM at a time, are no longer a sustainable remediation strategy. This guide builds the alternative: an automated dependency patching pipeline for Spring Boot — bot-driven update PRs, an automated regression gate that decides whether a bump is safe, and canary deployments that catch the failures your tests miss.

Verified (July 2026): The dependency:tree outputs in the dependency-model section below are real — captured with Apache Maven 3.9.11 resolving the official spring-boot-starter-parent BOMs (3.3.5 and 3.4.1) directly from Maven Central. Dependency resolution is JDK-independent, so the resolved versions shown are exactly what your build gets. The Dependabot, Renovate, Testcontainers, and Argo Rollouts configurations are production patterns you run on your own CI and cluster.

Why manual Spring Boot patching no longer scales

When a vulnerability lands in something deep in the graph — a Netty buffer, a SnakeYAML parser, a Tomcat connector — the fix usually arrives as a patch release you inherit by bumping a single managed version. The problem is volume: the number of upgrades per week now exceeds what a team can review without either rubber-stamping (dangerous) or falling behind (also dangerous).

  • The scanners do not sleep. Automated tooling files patch PRs within hours of a CVE disclosure, not days.
  • Most bumps are trivial — but not all. The ~95% that are pure patch releases are safe to automate; the ~5% that quietly change behaviour are what an automated test gate exists to catch.
  • Falling behind compounds. Skip patches for two quarters and your “simple” upgrade becomes a multi-version migration with breaking changes.

The answer is not to review faster. It is to let bots open the PRs, let your test suite decide which ones are safe, and reserve human attention for the minority that actually need it.

Continue reading Surviving the AI Vulnerability Wave: How to Automate Spring Boot Dependency Patches

Spring Security 5 to 6 to 7 Migration: SecurityFilterChain, Lambda DSL, and the Silent Authorization Changes

Of every breaking change in the Spring Boot 2 → 3 era, the removal of WebSecurityConfigurerAdapter generated the most confused stack traces I’ve debugged — because security configuration is the one place where “it compiles and runs” tells you almost nothing about whether it still protects anything. This guide migrates Spring Security 5 configurations to the 6.x component model (Spring Boot 3.x), covers what tightens further in Spring Security 7 (Spring Boot 4), and flags the places where a mechanical conversion quietly changes your authorization behaviour.

Continue reading Spring Security 5 to 6 to 7 Migration: SecurityFilterChain, Lambda DSL, and the Silent Authorization Changes

RestTemplate to RestClient Migration Guide: Method Mapping, Error Handling, and the exchange() Trap

Spring Boot 4 finally forced the issue: RestTemplate, in maintenance mode since Spring 5, is out of the recommended path, and codebases full of getForObject() and exchange() calls need a plan. The good news is that RestClient (introduced in Spring 6.1 / Boot 3.2) was designed as the synchronous successor, so this migration is mostly mechanical — if you know the method-by-method mapping and the three places where behaviour quietly differs. This guide gives you both.

Continue reading RestTemplate to RestClient Migration Guide: Method Mapping, Error Handling, and the exchange() Trap

Zuul to Spring Cloud Gateway Migration: Routes, Filters, and the Blocking-Call Traps

The first time I ported a Zuul gateway to Spring Cloud Gateway, the routes took an afternoon — and the filters took two weeks. That ratio surprises every team that attempts this migration, because the route configuration looks superficially similar while the filter model is a different universe: Zuul 1 is a blocking servlet filter chain, Spring Cloud Gateway runs on Netty with Project Reactor, and a single hidden blocking call in a ported filter can stall your entire gateway. This guide covers the route conversion, the filter-by-filter port, and the blocking-call traps, in that order.

Continue reading Zuul to Spring Cloud Gateway Migration: Routes, Filters, and the Blocking-Call Traps

Spring Cloud Netflix to Modern Alternatives: The Complete Migration Guide (2026)

In 2020 I published a dozen tutorials on this site covering Eureka, Hystrix, Zuul, Ribbon, and Feign — the Spring Cloud Netflix stack. They were accurate then. Today, most of that stack is dead: Netflix put Hystrix into maintenance mode back in 2018, Zuul 1 and Ribbon followed, and the Spring team removed them from the Spring Cloud release train entirely. If you are still running any of these libraries on Spring Boot 2.x, this guide maps every Netflix component to its modern replacement and shows you the actual migration steps — including the parts that break.

Continue reading Spring Cloud Netflix to Modern Alternatives: The Complete Migration Guide (2026)

Spring Boot 3 to 4 Migration Guide: What Actually Breaks, Why It Breaks, and How to Fix It

Everything in this guide was tested on Spring Boot 4.0.0, Spring Framework 7.0.0, Spring Security 7.0.0, and Java 21.0.3 (Eclipse Temurin). Behaviour details may differ on milestone or RC builds of Boot 4 — check the release notes if you are running a pre-GA version.

TL;DR

  • Spring Boot 4 keeps a Java 17 baseline (latest LTS encouraged) — the hard bumps are Kotlin 2.2+, GraalVM 25+, Jakarta EE 11, and Servlet 6.1 (Tomcat 11 / Jetty 12.1; Undertow support is removed).
  • All APIs deprecated in Boot 3.x are removed in Boot 4. There are no grace periods.
  • Virtual threads remain opt-in (spring.threads.virtual.enabled=true) — but if you flip them on during this upgrade, pinning and ThreadLocal bugs change how you reason about concurrency.
  • Spring Security’s HttpSecurity lambda DSL is now the only supported approach — method chaining is gone.
  • The monolithic auto-configure jar is split into per-technology modules — starter names change, every starter gains a -test companion, and missing beans show up at runtime, not compile time.
  • Jackson 3 is the default JSON library — new tools.jackson packages, renamed Boot annotations, changed serialisation defaults, and a deprecated spring-boot-jackson2 stop-gap.
  • Testing breaks in specific ways: @MockBean/@SpyBean are removed, and @SpringBootTest no longer auto-configures MockMvc or TestRestTemplate.
Continue reading Spring Boot 3 to 4 Migration Guide: What Actually Breaks, Why It Breaks, and How to Fix It