Spring Boot 3.5 Release Notes

Upgrading from Spring Boot 3.4

spring-boot-parent

The spring-boot-parent module is no longer published. It provides dependency management for internal dependencies used, for example, in Spring Boot’s own tests. If you were using spring-boot-parent, replace it with dependency management of your own that meets your application’s needs.

Actuator 'heapdump' Endpoint

The heapdump actuator endpoint now defaults to access=NONE. The aims to help reduce the likelihood of a misconfiguration application leaking sensitive information.

If you want to use it, you now need to both expose it, and configure access (previously, you only needed to expose it).

To do that, you can use something similar to following configuration:

management:
  endpoints:
    web:
      exposure:
        include: heapdump
  endpoint:
    heapdump:
      access: unrestricted

Using '.enabled' and Other Boolean Configuration Properties

Supported values for .enabled properties have been tightened with this release and are now more consistent. Values must now be either true or false.

Previous versions of Spring Boot would sometimes use conditions that considered any value other than false as enabled.

Validation of Profile Naming

Rules for profile naming have been tightened with this release and are now more consistent. Profiles can now only contain - (dash), _ (underscore), letters and digits. Additionally, Profiles are not allowed to start or end with - or _.

Note	As of Spring Boot 3.5.1 these restrictions have been relaxed a little to also allow `.`, `+` and `@` characters. You can also set `spring.profiles.validate` to `false` to disable validation entirely.

Follow Redirects with TestRestTemplate

The TestRestTemplate now uses the same follow redirects settings as the regular RestTemplate. The HttpOption.ENABLE_REDIRECTS option has also been deprecated.

If the new default settings causes issues with your tests, you can use the TestRestTemplate.withRedirects(…) method to pick an alternative follow redirects strategy.

Auto-configured TaskExecutor Names

Previously Spring Boot auto-configured a TaskExecutor with the taskExecutor and applicationTaskExecutor bean names. As of this release, only the applicationTaskExecutor bean name is provided. Code that is requesting the auto-configured Executor by name should be adapted to use applicationTaskExecutor.

If you relied on this behaviour and cannot change it immediately, the alias can be added using a BeanFactoryPostProcessor, as shown in the following example:

@Configuration
public class MyConfiguration {

    @Bean
    static BeanFactoryPostProcessor taskExecutorAliasBeanFactoryPostProcessor() {
        return (beanFactory) -> beanFactory.registerAlias("applicationTaskExecutor", "taskExecutor");
    }

}

Groovy Template Configuration Properties

The spring.groovy.template.configuration. properties have been deprecated in favor of new and existing spring.groovy.template. properties. See the configuration changelog for further details.

Redis

When spring.data.redis.url is configured, the Redis database that is used is determined by the URL. If the URL does not specify a database, the default of 0 is used. The spring.data.redis.database property is now ignored when spring.data.redis.url is configured, aligning its behavior with the host, port, username, and password properties.

Prometheus Pushgateway

Pushing metrics to a Prometheus Pushgateway now requires io.prometheus:prometheus-metrics-exporter-pushgateway instead of io.prometheus:simpleclient_pushgateway.

The new client’s Pushgateway support may also require a configuration change. If you were using management.prometheus.metrics.export.pushgateway.base-url, replace it with management.prometheus.metrics.export.pushgateway.address and adjust the value to be in the form host:port.

Three new properties have been added in support of the new Pushgateway client:

management.prometheus.metrics.export.pushgateway.format
management.prometheus.metrics.export.pushgateway.scheme
management.prometheus.metrics.export.pushgateway.token

Set the scheme property to https to use SSL when pushing metrics. Set the token property (instead of the existing username and password properties) to use token-based authentication. Set the format property to text to push metrics as text rather than using protobuf.

Native Test with Maven

The nativeTest profile has been harmonized with native to make it friendly for multi-module projects. Native test execution will not occur unless the Spring Boot and Native Build tools plugin are defined in the project. This is already the case for the native profile.

See the documentation for more details.

ECS Structured Logging JSON

JSON output for ECS structure logging has been updated to use the nested format. This should improve compatibility with the backends that consume the JSON.

See https://github.com/spring-projects/spring-boot/issues/45063 for background.

Apache Pulsar

The default version of the Apache Pulsar client has been upgraded from 3.3.x to 4.0.x. This upgrade was made to align with the Apache Pulsar release policy. 3.3.x has now reached end-of-life and 4.0.x is a new LTS release.

Couchbase Capella

Due to changes in Spring Boot’s support for configuring Couchbase to use SSL, Couchbase Capella’s embedded certificate will no longer be picked up automatically. If you are using Capella and want to trust its embedded certificate, create an SSL bundle with a truststore that references the certificate and configure Couchbase to use it:

spring:
  ssl:
    bundle:
      pem:
        couchbase-bundle:
          truststore:
            # Note that this certificate is fetched from the `com.couchbase.client:code-io` dependency.
            certificate: classpath:com/couchbase/client/core/env/capella-ca.pem
  couchbase:
    env:
      ssl:
        bundle: couchbase-bundle

Deprecations from Spring Boot 3.3

Classes, methods, and properties that were deprecated in Spring Boot 3.3 and marked for removal in 3.5 have been removed in this release. Please ensure that you aren’t calling deprecated methods or otherwise using deprecated functionality before upgrading.

Minimum Requirements Changes

None.

New and Noteworthy

Tip	Check the configuration changelog for a complete overview of the changes in configuration.

Annotations to Register Filter and Servlet

As an annotation-based alternative to ServletRegistrationBean and FilterRegistrationBean two new annotations have been added. @ServletRegistration can be used to register Servlet, while @FilterRegistration can be used to register Filter, as shown in this example:

@Configuration(proxyBeanMethods = false)
class MyConfiguration {

    @Bean
    @FilterRegistration(name = "my-filter", urlPatterns = "/test/*", order = 0)
    MyFilter myFilter() {
        return new MyFilter();
    }

}

Additionally, the behavior of FilterRegistrationBean for empty dispatcher types has been adjusted. Previously, it was possible to pass an empty DispatcherType set into the setDispatcherTypes methods, and this empty set would be passed through to the server. Now it’s the same behavior as calling setDispatcherTypes(null), which aligns it to the FilterRegistration annotation.

Load Properties From Environment Variables

While it was already possible to load a single property from an environment variable, it’s now possible to load multiple properties from a single environment variable.

For example, the multi-line environment variable MY_CONFIGURATION with this content:

my.var1=value1
my.var2=value2

can now be imported using the env: prefix:

spring.config.import=env:MY_CONFIGURATION

After this, my.var1 and my.var2 are available in the Environment.

This feature supports properties and yaml format. For more details, please see the documentation.

Customizing Structured Logging Stack Traces

Stack Trace written to structured logs can now be customized to limit their size or print them in a different format. You can use the logging.structured.json.stacktrace.* properties to configure stack trace output.

For details, see the updated reference documentation.

ClientHttpConnector Builder and Configuration Properties

Users of WebClient can now use properties for global configuration such as timeouts and redirect settings. This feature aligns with the support that we added for blocking clients in Spring Boot 3.4. As a result, some default behavior as changed to be aligned with the blocking clients; for example, follow redirects are now enabled by default.

For details, see the update reference documentation.

In addition to the new properties, the new ClientHttpConnectorBuilder interface can be used for more complex customizations.

SSL Support for Service Connections

Client side SSL support has been added for selected service connections. This is supported for the following service connections:

Cassandra
Couchbase
Elasticsearch
Kafka
MongoDB
RabbitMQ
Redis

The Testcontainers and Docker Compose integrations have been updated to allow SSL configuration, too. For Testcontainers, you can use new annotations, for Docker Compose you’d use labels.

Task Decoration for Scheduled Tasks

If a TaskDecorator bean is present, it is applied to the auto-configured taskScheduler bean. It is also applied to the auto-configured ThreadPoolTaskSchedulerBuilder and SimpleAsyncTaskSchedulerBuilder beans. It will be used by any schedulers created using those builders.

AsyncTaskExecutor with Custom Executor

If an Executor bean is present, Spring Boot can now be configured to auto-configure an AsyncTaskExecutor anyway. To do so, set the spring.task.execution.mode property to force.

When running in this mode, it makes sure that all integrations, including regular @Async processing uses the auto-configured executor, unless an AsyncConfigurer bean is defined.

OpenTelemetry

Spring Boot now supports the OTEL_RESOURCE_ATTRIBUTES and OTEL_SERVICE_NAME environment variables. Resource attributes configured through the configuration property take precedence over those from the environment variables.

Additionally, support for the service.namespace resource attribute has been added. The value of this attribute is read from the spring.application.group configuration property.

Support for the service.group resource attribute has been deprecated and will be removed in a future release.

It’s now possible to define a custom BatchSpanProcessor bean.

The span export can now be configured with newly added properties under the management.tracing.opentelemetry.export prefix.

Spring Batch

The JobParametersConverter used by Spring Batch can now be customised by defining a bean of that type. When no such bean is defined the DefaultJobParametersConverter will be used as before.

The new spring.batch.jdbc.validate-transaction-state property can be used to control whether transaction state is validated. The default behavior is unchanged and transaction state will be validated.

Ignore Properties When Using `spring-boot-configuration-processor`

When using the spring-boot-configuration-processor, the META-INF/additional-spring-configuration-metadata.json file can now be used to ignore properties:

{
  "ignored": {
    "properties": [
      {
        "name": "my.age"
      }
    ]
  }
}

This removes my.age from the generated spring-configuration-metadata.json file. Additionally, the information that my.age has been ignored is also recorded in the generated spring-configuration-metadata.json file.

OAuth 2 Client Auto-configuration

OAuth 2 Client auto-configuration now applies in more situations and is more granular.

OAuth2ClientAutoConfiguration configure OAuth 2 client related beans in anything other than a reactive web application.
OAuth2ClientWebSecurityAutoConfiguration configures OAuth 2 client based web security in a servlet web application.
ReactiveOAuth2ClientAutoConfiguration configures reactive OAuth 2 client related beans in anything other than a servlet web application.
ReactiveOAuth2ClientWebSecurityAutoConfiguration configures OAuth 2 client based web security in a reactive web application.

Auto-configuration for Bean Background Initialization

Spring Boot now auto-configures a bean named bootstrapExecutor if it’s not already there. For that to work, there needs to be a bean named applicationTaskExecutor in the context, which is the default if you haven’t defined a custom Executor bean. This enables bean background initialization out of the box.

Redis

Add support for configuring ReadFrom using the spring.data.redis.lettuce.read-from property.

Liquibase

The managed version of Liquibase is now 4.31.0. Two new Liquibase properties have been added:

spring.liquibase.analytics-enabled – Whether to send product usage data and analytics to Liquibase
spring.liquibase.license-key – Liquibase Pro license key

Use of the properties requires Liquibase 4.31.0 or later.

Vibur Connection Pool

Support for configuring a Vibur DBCP connection pool using DataSourceBuilder has been added. Dependency management has also been updated to cover org.vibur:vibur-dbcp.

Testcontainers and Docker Compose support for `lldap/lldap` containers

Containers using the lldap/lldap image can now be used with Docker Compose and Testcontainers. Testcontainers supports this image with LLdapContainer.

Cloud Native Buildpacks

Ubuntu Noble

The default builder has been switched to paketobuildpacks/builder-noble-java-tiny. The resulting image doesn’t have a shell or other utilities. If you need a shell, you can use paketobuildpacks/ubuntu-noble-run-base as the run image.

Docker Config Authentication

Both the Maven and Gradle plugin will now attempt to use authentication settings from your docker config.json file. This includes support for executing credential helpers to support things like the MacOS keychain.

Triggering Quartz Jobs From the Actuator

The Quartz Actuator endpoint can now be used to trigger Quartz jobs by sending an HTTP POST to the /actuator/quartz/jobs/{groupName}/{jobName} URL.

See the updated REST documentation for an example.

SSL Bundle Metrics

Spring Boot Actuator now publishes metrics for SSL bundles. The metric ssl.chains counts the number of chains and their status (valid, expired, soon-to-be-expired, not-yet-valid). The metric ssl.chain.expiry tracks the number of seconds until expiry for each certificate chain.

Mappings Endpoint

The mappings endpoint now includes information about WebMvc.fn router functions. Consult the Actuator REST API documentation for details of the updated response structure.

Dependency Upgrades

Spring Boot 3.5 moves to new versions of several Spring projects:

Numerous third-party dependencies have also been updated, some of the more noteworthy of which are the following:

Miscellaneous

Apart from the changes listed above, there have also been lots of minor tweaks and improvements including:

The application_name property of the Postgres docker container is now configured by default using spring.application.name.
The auto-configuration for Jackson retains modules that have been added prior to its execution, rather than overwriting them.
Tomcat connector’s max parameter count can be configured using the server.tomcat.max-parameter-count property.
Actuator’s process info contributor now contains virtual thread information when running on JDK 24 or later.
The ECS structured logging format now adds Logback and Log4j’s markers in the tags field.
Spring Boot now installs a Logback OnErrorConsoleStatusListener to print error messages during Logback initialization to the console.
The 'errors' entry returned from ErrorAttributes now includes errors from MethodValidationResult. Errors may be wrapped to ensure that they can be safely serialised to JSON.
Zipkin auto-configuration now uses ZipkinHttpClientSender by default, if the HttpClient class is unavailable URLConnectionSender is used.
A new @ConditionalOnBooleanProperty annotation has been introduced.
Empty passwords are now supported when using Bitnami’s PostgreSQL image with Docker Compose. Set ALLOW_EMPTY_PASSWORD in the container’s environment to enable the support.
The new property management.server.accesslog.prefix can now be used to customize the access log prefix for the management server.
The AWS Advanced JDBC Wrapper is now auto-detected from jdbc:aws-wrapper:… URLs, removing the need to configure spring.datasource.driver-class-name.
ConstraintViolations can be adapted to a MethodValidationResult by setting the new spring.validation.method.adapt-constraint-violations property to true
If io.micrometer:micrometer-java21 is on the classpath, a VirtualThreadsMetrics bean is now auto-configured.
The java.home system property is no longer used when running in native image.
The new property spring.jooq.config can be used to specify an external jOOQ settings.xml file or resource.
New factory methods have been added to SslManagerBundle to create a SslManagerBundle from a TrustManagerFactory or from a TrustManager.
The logging.structured.json.customizer properties now accepts more than one customizer.
A new spring.r2dbc.pool.acquire-retry property has been added.
@ConditionalOnBean and @ConditionalOnMissingBean now support generic @Bean return types.
@ConditionalOnProperty and @ConditionalOnBooleanProperty are now @Repeatable.
Some unbindable properties with the prefixes spring.datasource.dbcp2, spring.datasource.hikari, spring.datasource.oracleucp and spring.datasource.tomcat have been removed from spring-configuration-metadata.json.
The new property spring.mvc.contentnegotiation.default-content-types can be used to configure default content types with Spring MVC.
EndpointRequest for both servlet and reactive stacks now supports matching on HTTP method.
SanitizingFunction now has convenience builder methods. See SanitizingFunction.sanitizeValue() for an example.
@ConfigurationPropertiesBinding annotated @Bean methods can now be implemented as lambdas.
ApplicationConversionService now detected generic types from converter @Bean methods.
A CqlOperations bean is now auto-configured and used internally by CassandraTemplate.
A ReactiveCqlOperations bean is now auto-configured and used internally by ReactiveCassandraTemplate.
An ObjectDirectoryMapper bean is now auto-configured and used internally by LdapTemplate.
Renamed management.server.accesslog.prefix to management.server.{server}.accesslog.prefix where {server} can be jetty, tomcat or undertow.
The micrometer.observations.annotations.enabled configuration property was deprecated in 3.2.x in favor of management.observations.annotations.enabled. Support for the former has been removed entirely.
The property spring.kafka.listener.auth-exception-retry-interval has been added to configure the time between retries after authentication exceptions.
Logging for Cloud Native Buildpacks integration has been improved.
The new property spring.data.mongodb.protocol has been added to allow the MongoDB protocol to be customized.
Logback and Log4j2 now respect the console charset.
The transport-specific configuration properties for GraphQL have been reorganized. spring.graphql.path is now spring.graphql.http.path and spring.graphql.sse.timeout is replaced by spring.graphql.http.sse.timeout.
Support for Zipkin’s URLConnectionSender has been removed.
Removed the default value of OtlpMetricsProperties.url. However, this should lead to no visible changes as Micrometer then provides the default value.
The auto-configured JdbcTemplate can be further customized using additional configuration properties for ignoreWarnings, skipResultsProcess, skipUndeclaredResults, and resultsMapCaseInsensitive.
In most cases, a DataSource can now be auto-configured without spring-jdbc on the classpath. spring-jdbc is still required to use an embedded database without a connection pool.
The property server.tomcat.use-apr now defaults to never. If you want to use Tomcat’s APR, set the property to when-available or always.
A PollerMetadataCustomizer has been added to customize Spring Integration’s PollerMetadata.
Garbage collector information has been added to the actuator process info.
Removed the readonly flag from the BuildImage Maven mojo to remove Maven warnings.
The SameSite attribute can be omitted from the session cookie by setting server.servlet.session.cookie.same-site or server.reactive.session.cookie.same-site to omitted.
MeterProvider beans are now automatically configured on OtlpHttpLogRecordExporter, OtlpHttpSpanExporter, OtlpGrpcLogRecordExporter and OtlpGrpcSpanExporter.
The referral mode for Spring LDAP can be configured with the new spring.ldap.referral property.
Customizers for OtlpHttpSpanExporterBuilder and OtlpGrpcSpanExporterBuilder have been added.
The new property spring.kafka.consumer.max-poll-interval can be used to configure Kafka’s maximum delay between poll invocations.
RECORD_COMPONENT has been removed as a target from @DefaultValue, as it wasn’t really necessary.
The auto-configured RestClientSsl bean now builds upon, rather than overwrite, the configuration from HttpClientProperties.
RestClientAutoConfiguration now applies for reactive web applications that are using virtual threads and have a applicationTaskExecutor bean.
The Auto-configured OtlpMeterRegistry now applies any use provided OtlpMetricsSender bean.
It is now possible to set histogram-flavor and max-buckets per meter registry.
Additional properties have been added under logging.structured.json.context to allow context data to not be logged, or to be logged in a different location.
A new spring.test.print-condition-evaluation-report property has been added that can be set to false if you don’t want the details printed when tests fail.

Deprecations in Spring Boot 3.5.0

ConditionalOutcome.inverse(…) has been deprecated for removal since it doesn’t generate a useful message
Support for SignalFX has been deprecated, following the deprecation in Micrometer.
org.springframework.boot.autoconfigure.security.servlet.RequestMatcherProvider has been deprecated to move it to org.springframework.boot.actuate.autoconfigure.security.servlet.RequestMatcherProvider.
org.springframework.boot.autoconfigure.security.oauth2.client.ClientsConfiguredCondition in favor of @org.springframework.boot.autoconfigure.security.oauth2.client.ConditionalOnOAuth2ClientRegistrationProperties.
org.springframework.boot.autoconfigure.security.oauth2.resource.IssuerUriCondition in favor of @org.springframework.boot.autoconfigure.security.oauth2.resource.ConditionalOnIssuerLocationJwtDecoder.
org.springframework.boot.autoconfigure.security.oauth2.resource.KeyValueCondition in favor of @org.springframework.boot.autoconfigure.security.oauth2.resource.ConditionalOnPublicKeyJwtDecoder.
org.springframework.boot.devtools.autoconfigure.OnEnabledDevToolsCondition in favor of @org.springframework.boot.devtools.autoconfigure.ConditionalOnEnabledDevTools.
The configuration property spring.mvc.converters.preferred-json-mapper has been deprecated. It is replaced by spring.http.converters.preferred-json-mapper.
The configuration properties spring.codec.log-request-details and spring.codec.max-in-memory-size have been deprecated. They are replaced by spring.http.codecs.log-request-details and spring.http.codecs.max-in-memory-size respectively.
org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration in favor of org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientAutoConfiguration.
org.springframework.boot.logging.LoggingSystemProperties.getDefaultCharset() in favor of getDefaultConsoleCharset() or getDefaultFileCharset().
ThreadPoolTaskSchedulerBuilder multi-parameter based constructor in favor of the default constructor.
org.springframework.boot.autoconfigure.condition.ConditionOutcome.inverse(ConditionOutcome)` in favor of creating a new ConditionOutcome.
KafkaConnectionDetails…BootstrapServers methods in favor of using chained method calls.
The ConnectionDetailsFactories default constructor in favor for a version that accepts a class loader.
OnEnabledDevToolsCondition in favor of the @ConditionalOnEnabledDevTools annotation.