These days are “Spring Release Days”, with many Spring artifacts releasing new versions, Spring Framework 6.0.0 released its 4th milestone release, which includes all fixes for 5.3.20, as well as 39 fixes and improvements specific to the 6.0 branch. And yesterday Spring Boot 2.7.0 and several branches of Spring Security were released, especially Spring Boot 2.7.0 which is a very important release.

Spring Boot 2.7.0

The most important thing yesterday was the release of Spring Boot 2.7.0, which added a lot of new features and improvements. There are so many things, so I’ll just pick the highlights here.

Auto-configuration changes

Spring Boot 2.7.0 makes a big change to autoconfiguration.

autoconfiguration registration

Spring autoconfiguration classes are now in META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports; previously they were in META-INF/spring.facts. . It is still backwards compatible and both of them will work, but loading auto-configuration from spring.facts is not recommended.

New @AutoConfiguration annotation

A new @AutoConfiguration annotation has been introduced. This class is used to declare the AutoConfig class in AutoConfigRegistration above, which replaces @Configuration and can only be used by the AutoConfiguration class. You can also replace @AutoConfigureAfter and @AutoConfigureBefore with their after, afterNames, before, and beforeNames attributes.

@AutoConfiguration(after = SecurityAutoConfiguration.class)
@ConditionalOnWebApplication(type = Type.SERVLET)
@ConditionalOnClass({ AbstractSecurityWebApplicationInitializer.class, SessionCreationPolicy.class })
public class SecurityFilterAutoConfiguration {

Test Automation Configuration

If you create your own automation configuration class tests, you should also refer to Autoconfigure Registration above to configure the automation configuration class. Refer to the spring-boot-test-autoconfigure module in the Spring Boot project.

@SpringBootTest configuration item priority

Test properties that you can now add via the properties property of @SpringBootTest or the @TestPropertySource annotation have a higher priority than properties passed to args via the command line.

New Flyway modules

Spring Boot 2.7 has been upgraded to Flyway 8.5 (from 8.0). Since version 8.0, Flyway support for multiple databases has been extracted to the new module.

  • flyway-firebird (Firebird)
  • flyway-mysql (MariaDB and MySQL)
  • flyway-sqlserver (SQL Server)

If you are using Flyway to manage the above databases, please add the dependencies of the corresponding new modules.

Version 2.1 of the H2 database

Spring Boot 2.7 has been upgraded to H2 2.1.120 . H2 2.x is backward incompatible and fixes many security vulnerabilities.

OkHttp 4

As OkHttp 3 is no longer maintained, Spring Boot 2.7 has been upgraded to OkHTTP 4. As part of this upgrade, the property used to control the version of OkHttp has been changed from okhttp3.version to okhttp.version. If you wish to use OkHttp 3, please change to the corresponding version.

Support for Elasticsearch’s RestHighLevelClient has been deprecated

Elasticsearch has deprecated its RestHighLevelClient . In line with this, Spring Boot’s auto-configuration of RestHighLevelClient has been deprecated. Whenever possible, use the automatically configured low-level RestClient. Alternatively, consider configuring the new client manually.

Spring Boot 2.5 deprecations

Classes, methods and properties that are not recommended in Spring Boot 2.5 have been removed in this release. Please ensure that you are not calling deprecated methods before upgrading.

Note: Spring Boot version 2.5 has been discontinued OSS and free security updates and bug fixes are no longer available.

Spring GraphQL Support

Spring Boot 2.7 now supports Spring GraphQL with the corresponding starter spring-boot-starter-graphql. GraphQL is a query language for APIs and also a language that can cater to data queries.

Opaque token introspection optimization

If you use opaque token introspection in the OAuth2 resource server, the automatically configured introspection no longer requires a dependency on com.nimbusds:oauth2-oidc-sdk. You are able to remove this dependency from the application.

Couchbase and Elasticsearch testing annotations

Added @DataCouchbaseTest and @DataElasticsearchTest to test Couchbase and Elasticsearch databases, respectively.

Podman support

Maven and Gradle plugins now support using the Podman container engine as an alternative to the Docker engine when building images with Cloud Native Buildpacks.

Is Docker really gone?

Cache2k support

Added dependency management and auto-configuration for cache Cache2k. Customize default cache settings by defining the Cache2kBuilderCustomizer bean.

Jackson Mixin Simplified Registration

Jackson’s autoconfiguration will now scan your application package for Mixin classes with the @JsonMixin annotation and register them to the ObjectMapper.


There are some other dependency upgrades, see the official release notes for details.

Spring Security

Yesterday Spring Security 5.7.1, 5.6.5, 5.5.8 were released before M5 of Spring Security 6.6.0 was released.

Spring Security 5.7.1, 5.6.5, 5.5.8 were released the day before yesterday and Spring Security 6.6.0 (M5 version) was released before that.