Spring AI 2.0.0-M7: ToolSpec Interface and Unified Tool Registration
Spring AI 2.0.0-M7 (the seventh milestone release on the 2.0 path) ships a new ToolSpec interface added to the ChatClient API. The interface provides a single point of registration for tool methods, replacing the previous approach of separately configuring tool definitions and their backing implementations. Alongside this, ToolCallAdvisor becomes the default mechanism for automatic tool call handling: when the model returns a tool call, the advisor intercepts the response, invokes the registered tool, and feeds the result back into the conversation without requiring explicit orchestration code in the application layer.
This change has practical implications for teams building AI agents with Spring AI: the boilerplate for wiring tools into a chat loop shrinks substantially, and the advisor pattern makes it easier to compose tool-call behavior with other ChatClient advisors like retry or audit logging. The M7 release continues to target Spring Boot 4.1 (currently in RC phase) and Spring Framework 7. Teams experimenting with the 2.0 milestone series should expect the API surface to remain stable through the remaining milestones.
Open Liberty 26.0.0.5: Full Jakarta EE 11 and Spring Boot 4.0 Support
IBM's Open Liberty 26.0.0.5 achieves full certification against the Jakarta EE 11 Platform, Web Profile, and Core Profile — making it one of the first application servers to fully pass the Jakarta EE 11 TCK. The release is particularly relevant for teams considering Open Liberty as a runtime for Spring Boot applications: 26.0.0.5 adds explicit support for deploying and executing Spring Boot 4.0 applications on the Liberty runtime, enabling organizations to use Liberty's operational features (thin WARs, server configuration, MicroProfile integration) with modern Spring Boot applications.
The release also resolves CVE-2026-3621, an identity spoofing vulnerability in Liberty's OpenID Connect client. Teams running Open Liberty with OIDC authentication should treat this as a security-critical update. The Jakarta EE 11 certification covers Jakarta Pages 4.0, CDI 4.1, Jakarta Security 4.0, and the full set of Web Profile APIs, making Open Liberty a viable migration target for teams moving off older Jakarta EE 10 or Java EE 8 runtimes.
Apache Kafka 4.3.0: OAuth2 Private Key JWT Support
Apache Kafka 4.3.0 ships enhanced OAuth2 authentication with support for the private_key_jwt client authentication method. This allows Kafka clients to authenticate to OAuth2 authorization servers using a signed JWT containing a private key claim, rather than a shared client secret. private_key_jwt is the more secure pattern for machine-to-machine OAuth2 flows because the private key never leaves the client — only a signed assertion is transmitted — eliminating the risk of credential leakage through secret rotation failures or log exposure.
The practical impact for teams running Kafka in enterprise environments with centralized identity infrastructure (Keycloak, Azure AD, Okta) is that they can now adopt the more security-hardened client authentication flow without patching or custom SASL mechanisms. Spring for Apache Kafka 4.1.0 (currently in RC) will carry forward this capability natively when connecting through Spring's Kafka integration layer.
