Spring Security 7.1.0-RC1 and Maintenance Releases
Spring Security released its first release candidate for 7.1.0 alongside maintenance updates for the 6.5.x and 7.0.x branches on April 21. Spring Security 7.1.0-RC1 introduces MessageExpressionAuthorizationManager, a new class that brings SpEL expression-based authorization to message handling — allowing security rules like hasRole('ADMIN') to be applied directly to inbound messages in WebSocket and messaging channels. A new InetAddressMatcher interface supports both IPv4 and IPv6 CIDR notation for IP address-based access control decisions, replacing brittle string-comparison approaches.
The companion maintenance releases — 6.5.10 and 7.0.5 — ship with CVE resolutions across both branches. Developers running either line in production should upgrade promptly. The presence of an RC1 for the 7.1 branch also signals that the Spring Security team is targeting a GA release within the coming weeks, aligned with Spring Boot 4.1's anticipated schedule.
Spring Authorization Server 1.5.7 was also released on the same day (by Joe Grandja), delivering maintenance fixes to the OAuth 2.1 and OIDC server implementation. Applications that host their own authorization servers and require up-to-date security patches should upgrade to this latest maintenance release.
Spring Integration 7.1.0-RC1
Spring Integration 7.1.0-RC1 reached its first release candidate on April 21. Highlights include a new CloudEventHeadersBuilder for constructing CloudEvents-compliant message headers, simplifying integration with event-driven platforms that consume the CloudEvents specification (such as Knative Eventing and Azure Event Grid). The release also replaces TimeUnit with java.time.Duration across Redis queue classes, aligning the API with modern Java idioms and improving readability for configuration expressed in code.
Spring Integration provides the core enterprise integration patterns implementation in the Spring ecosystem — messaging channels, routers, transformers, and endpoint adapters for systems ranging from JMS to file systems to HTTP. The 7.1 line targets Spring Boot 4.1 compatibility and Java 21+.
RC1 is an appropriate adoption point for teams building on Spring Boot 4.1 milestones who want to evaluate the new CloudEvents support ahead of the GA release. As always, RC releases are stable enough for integration testing but should not be used in production without a plan to upgrade to GA.
Spring Vault 4.1.0-RC1 and Spring Vault 4.0.2
Spring Vault 4.1.0-RC1 was released on April 20 by Mark Paluch. The headline addition is CertificateContainer, a new abstraction for managing the complete lifecycle of PKI certificates retrieved from HashiCorp Vault. CertificateContainer handles certificate renewal, expiry tracking, and propagation to application components, reducing the boilerplate previously required to manage rotating TLS credentials. The release also ships SecretsRegistry with TTL-based automatic renewal for dynamic secrets, allowing Spring applications to keep Vault-issued credentials (database passwords, cloud credentials, etc.) continuously fresh without manual intervention.
The companion 4.0.2 maintenance release delivers bug fixes for the 4.0.x stable branch, ensuring teams that are not yet on the 4.1 milestones still receive security-relevant updates.
For teams using HashiCorp Vault in their infrastructure, Spring Vault 4.1 offers a significantly improved developer experience around certificate management, a pain point when running microservices that need mTLS or short-lived database credentials. The combination of CertificateContainer and SecretsRegistry reduces the risk of service outages caused by expired secrets.
Spring AI: Long-Lived Memory Sessions and A2A Recipes
The Spring team announced long-lived, memory-enabled sessions for Spring AI, enabling agents built with Spring AI to maintain conversation state across multiple interactions. This addresses a core limitation of stateless AI integrations, where context from earlier messages was lost between requests. Long-lived sessions allow agents to accumulate knowledge across a conversation, improving coherence for multi-turn workflows.
Alongside this announcement, Craig Walls published two recipes demonstrating Spring AI's agent capabilities: one covering agent-to-agent (A2A) communication patterns where Spring AI agents delegate tasks to other agents, and one demonstrating agentic planning using TodoWriteTool for breaking complex goals into tracked subtasks. These recipes provide concrete starting points for teams building multi-agent pipelines with Spring Boot and Spring AI.
This Week in Spring (April 21) also noted Netflix's public discussion of their production use of Java, Spring Boot, and Spring AI — a notable signal that the Spring AI stack is seeing adoption at scale in demanding engineering environments.
Links & Sources
You May Also Enjoy
