Spring Boot Knowledge Patch

Covers Spring Boot 3.4–4.0, Spring Framework 7.0, Spring Security 7.0, and Spring AI 1.0.

Index

Topic	Reference	Key features
Boot 4.0 migration	references/boot-4-migration.md	Modular starters, Jackson 3, HTTP service clients, RestTestClient, breaking changes
Spring Framework 7.0	references/framework-7.md	@Retryable in core, BeanRegistrar, JmsClient, API versioning, JPA 3.2
Spring Security 7.0	references/security-7.md	PathPatternRequestMatcher, DSL cleanup, SPA CSRF, MFA, OAuth2 HTTP services
Spring AI 1.0	references/spring-ai.md	ChatClient, @Tool, advisors/RAG, VectorStore, ChatMemory, MCP
Boot 3.4–3.5 features	references/boot-3.4-3.5.md	Structured logging, actuator access model, MockMvcTester, env properties import

---

Quick Reference — Boot 4.0 Starter Renames

Old (Boot 3.x)	New (Boot 4.0)
spring-boot-starter-web	spring-boot-starter-webmvc
spring-boot-starter-oauth2-client	spring-boot-starter-security-oauth2-client
spring-boot-starter-oauth2-resource-server	spring-boot-starter-security-oauth2-resource-server
spring-boot-starter	spring-boot-starter-classic (gradual migration)
spring-boot-starter-test	spring-boot-starter-test-classic (gradual migration)
(bare flyway-core)	spring-boot-starter-flyway (now required)
(bare liquibase-core)	spring-boot-starter-liquibase (now required)

Convention: spring-boot-<technology>, spring-boot-starter-<technology>, spring-boot-starter-<technology>-test.

Every technology now has a test starter companion. @WithMockUser requires spring-boot-starter-security-test.

---

Quick Reference — Jackson 3 (Boot 4.0 Default)

Jackson 3 uses tools.jackson package (annotations stay in com.fasterxml.jackson.annotation).

Old (Jackson 2)	New (Jackson 3)
@JsonComponent	@JacksonComponent
@JsonMixin	@JacksonMixin
JsonObjectSerializer	ObjectValueSerializer
Jackson2ObjectMapperBuilderCustomizer	JsonMapperBuilderCustomizer
spring.jackson.read.*	spring.jackson.json.read.*
spring.jackson.write.*	spring.jackson.json.write.*

Compatibility module: spring-boot-jackson2 (deprecated). Properties under spring.jackson2.*.

---

HTTP Service Clients (Boot 4.0)

Annotated interfaces get auto-configured implementations:

@HttpExchange(url = "https://echo.zuplo.io")
public interface EchoService {
    @PostExchange
    Map<?, ?> echo(@RequestBody Map<String, String> message);
}

Group registration with per-group configuration (Framework 7.0):

@ImportHttpServices(group = "weather", types = {WeatherApi.class})
@ImportHttpServices(group = "user", types = {UserApi.class})
class Config extends AbstractHttpServiceRegistrar {
    @Bean
    RestClientHttpServiceGroupConfigurer configurer() {
        return groups -> groups.filterByName("weather")
            .forEachClient((g, b) -> b.defaultHeader("X-Api-Key", key));
    }
}

---

RestTestClient (Boot 4.0)

Non-reactive alternative to WebTestClient. Works with @SpringBootTest, @AutoConfigureMockMvc, or random port:

@Autowired
RestTestClient restTestClient;

---

HttpMessageConverters Deprecated (Boot 4.0)

Replace custom HttpMessageConverter beans with customizers:

@Bean
ServerHttpMessageConvertersCustomizer myCustomizer() {
    return converters -> converters.jsonMessageConverter(myConverter);
}
// Also: ClientHttpMessageConvertersCustomizer for client-side

---

Spring Framework 7.0 — @Retryable in Core

Spring Retry merged into spring-core. Enable with @EnableResilientMethods:

@Configuration
@EnableResilientMethods
class AppConfig { }

@Service
class MyService {
    @Retryable(maxAttempts = 3)
    public String fetchData() { ... }

    @ConcurrencyLimit(limit = 5)
    public String limitedOp() { ... }
}

---

Spring Security 7.0 — Essential Changes

MvcRequestMatcher and AntPathRequestMatcher removed. Use PathPatternRequestMatcher:

http.authorizeHttpRequests(auth -> auth
    .requestMatchers("/api/**").hasRole("USER")
    .anyRequest().authenticated()
);

DSL cleanup: and() removed (use lambda DSL), authorizeRequests removed (use authorizeHttpRequests).

SPA CSRF: http.csrf(csrf -> csrf.spa());

---

Spring AI 1.0 — ChatClient

@Autowired ChatClient chatClient;

String answer = chatClient.prompt()
    .user("What is Spring Boot?")
    .call()
    .content();

// Structured output
record ActorFilms(String actor, List<String> movies) {}
ActorFilms result = chatClient.prompt()
    .user("List films with Tom Hanks")
    .call()
    .entity(ActorFilms.class);

Tool calling:

chatClient.prompt()
    .user("What's the weather in London?")
    .tools(weatherTools)  // @Tool-annotated @Component
    .call()
    .content();

---

Boot 3.4 — Structured Logging

logging.structured.format.console=ecs    # ecs, gelf, or logstash
logging.structured.format.file=logstash

Boot 3.4 — Actuator Access Model

Endpoint enabled/disabled replaced with fine-grained access control:

management.endpoints.access.default=unrestricted
management.endpoint.health.access=read-only
management.endpoints.access.max-permitted=read-only  # operator cap

Values: none, read-only, unrestricted. Old enabled properties are deprecated.

Boot 3.4 — RestClient HTTP Client Selection

spring.http.client.factory=jdk  # http-components, jetty, reactor, jdk, simple
spring.http.client.redirects=dont-follow  # default: follow

Auto-detection order: Apache HC > Jetty > Reactor Netty > JDK HttpClient > Simple.

---

Key Breaking Changes (Boot 4.0 / Framework 7.0)

• Undertow removed — use Tomcat or Jetty (Servlet 6.1 baseline)
• RestTemplate deprecated — use RestClient
• javax.annotation/javax.inject removed — use jakarta.*
• ListenableFuture removed — use CompletableFuture
• JUnit 6 baseline for test framework
• Liveness/readiness probes enabled by default
• DevTools Live Reload disabled by default
• Embedded launch scripts removed — use java -jar directly
• MongoDB properties renamed: spring.data.mongodb.* → spring.mongodb.*
• Elasticsearch: RestClient → Rest5Client
• Hibernate: hibernate-jpamodelgen → hibernate-processor
• @EntityScan moved to org.springframework.boot.persistence.autoconfigure.EntityScan
• spring.dao.exceptiontranslation.enabled → spring.persistence.exceptiontranslation.enabled
• management.tracing.enabled → management.tracing.export.enabled
• logging.console.enabled=false disables console logging
• WAR on Tomcat: use spring-boot-starter-tomcat-runtime instead of spring-boot-starter-tomcat
• Spring Retry dependency management removed — use Spring Framework's @Retryable instead
• Authorization Server now part of Spring Security; use spring-security.version

Reference Files

File	Contents
boot-4-migration.md	Modular starters, Jackson 3, HTTP services, RestTestClient, OpenTelemetry, breaking changes
framework-7.md	@Retryable/@ConcurrencyLimit, BeanRegistrar, JmsClient, API versioning, JPA 3.2, HttpHeaders
security-7.md	PathPattern matchers, DSL cleanup, SPA CSRF, MFA, Authorization Server, OAuth2 HTTP services
spring-ai.md	ChatClient, @Tool, advisors/RAG, VectorStore, ChatMemory, MCP server/client
boot-3.4-3.5.md	Structured logging, actuator access, RestClient config, MockMvcTester, bean defaults, env import