⚡ Spring AI 2.0 RC1 will break your tool calling: migrate now
You bumped the Spring AI version, pushed to staging, and your agent just stopped calling its tools. No error. No stack trace. Nothing in the logs. The model answers as if the tools never existed, and you just burned an afternoon chasing a bug in the wrong place.
This scenario will be common once Spring AI 2.0 hits GA. The RC1, released on 6 June 2026, removed the built-in tool execution loop from every ChatModel. If your code still registers tools by name with toolNames(), they will turn into ghosts. In this article you will see exactly what changed and how to migrate before GA catches you off guard.
The Spring Security Release Train Delayed Twice Arrives This Week: What to Update Now
In April 2026, AI tools scanned the Spring ecosystem and found 26 CVEs in a single month. The release train delayed twice is finally here: June 8-14. If you have Spring in production, this is the week to act.
JDK 27 in Rampdown: Compact Object Headers Will Shrink Your Pod Heap Automatically
JDK 27 entered Rampdown Phase One on June 4, 2026. GA is set for September 14, 2026. Two JEPs will reduce the memory footprint of every Java application in production without changing a single line of code: JEP 534 (Compact Object Headers by Default) and JEP 523 (G1GC as Universal Default).
Spring AI 2.0 RC1: What Breaks in Your Tools Code (Migration Guide)
If you have Spring AI code that uses toolNames(), SpringBeanToolCallbackResolver, or relies on the internal tool execution loop inside ChatModel, it will break when Spring AI 2.0 GA ships. The RC1 released on June 6, 2026 consolidates all the changes. Here is the complete guide with before/after code for each breaking change in the Tool Calling Overhaul.
Spring Boot 3.5 EOL June 2026: Complete Migration Guide to Spring Boot 4
Spring Boot 3.5 loses OSS support on June 30, 2026. If your project is still on Boot 3.x, you have less than 30 days to plan the migration. Boot 4 requires Java 21, removes JUnit 4 from the default classpath, forces Hibernate 7, and removes Undertow. Here is the complete checklist with before/after code for each breaking change.
🧨 The catch(IOException) that swallows your Jackson 3 errors
You migrated your application to Spring Boot 4, ran the whole test suite, everything green. Shipped to production on a quiet Tuesday. Then, three days later, support opens a ticket: the API is returning HTTP 200 with a half-baked payload, no exception thrown, no error log, no alert. The catch (IOException e) that always caught your JSON problems stopped catching them. And nobody warned you.
The culprit has a name: Jackson 3. Spring Boot 4 swapped the default JSON serializer and, with it, came a silent change in the exception hierarchy that breaks error handling for anyone who migrated on autopilot. Let's understand what changed and fix it the right way, before your customer finds out first.
🔒 I Migrated to Spring Boot 4 and My APIs Started Returning 403
You upgraded to Spring Boot 4, ran the local tests, deployed. Then the first POST in production came back 403. No stack trace, no error log, nothing useful in the console. You double-check the JWT token, touch the CORS config, review the authentication filter, and everything looks fine. The GET works, but every write method dies with 403.
The root cause is not in your code. Spring Security 7, bundled with Spring Boot 4, turned on CSRF protection for your APIs without telling you. In this article you will understand why this happens, how to diagnose it in two minutes, and how to fix it the right way, without disabling security in a panic.
🚀 The Java 25 business case your team still hasn't made
There is a way to cut cloud costs, speed up startup and reduce concurrency bugs all at once, and most Java teams still have not built that argument for their manager. It is not one isolated feature, it is the set of things that Java 25 LTS delivers in one go. Today you walk out with the numbers and the code in hand to make the case for the migration.
The scene is always the same. That planning meeting where someone suggests bumping the Java version, and the manager asks the fairest question in the world: "why migrate now, what is the return?". If your answer is "because it is the new version", you have lost the argument. Let us build an answer that fits on a slide and holds up in production.
🤖 Turn your Spring Boot 4 into an AI tool with 3 annotations
There is a way to expose any Spring Boot 4 service as a tool for an AI agent without writing a single line of infrastructure code, and most Java developers still do not know it has fully arrived. With Spring AI 2.0, three annotations (@McpTool, @McpToolParam and @McpResource) turn an ordinary method into a tool that Claude, ChatGPT or any MCP client can see and call on its own.
In this article we go from zero to a running MCP Server: the starter in the build, the annotated service, the production configuration and the client consuming it. All with code that looks like production, the way senior engineers do it. Let us build it.
🔒 The mistake of running Config Server in a pod with a shared volume
The number one mistake of teams running Spring Cloud Config Server in production today is treating the pod filesystem as if it were theirs alone. Shared volume, basedir cloned by JGit, and a namespace neighbor that swaps the path for a symlink at just the right moment. The result is reading and writing files outside the expected directory.
That scenario became CVE-2026-41002 (CVSS 7.4), disclosed on 2026-05-06 and fixed in Spring Cloud Config 4.3.3 and 5.0.3. It is a TOCTOU flaw, and it lands right on the cloud-native architecture most of us use without a second thought. Let's break down what happens and how to lock it down today.
Spring Boot 4: Why Your REST APIs Started Returning 403
You migrated to Spring Boot 4, deployed to production, and suddenly every POST and PUT started returning 403 Forbidden. GET works fine. Local curl passes. Unit tests are green. But the frontend broke completely, and nobody touched a single line of controller code. You open the logs and there is no stack trace, no business exception, nothing. Just a dry 403 that shows up before the request ever reaches your code.
Relax, it is not a curse. The root cause is not in your code: it is CSRF, now enabled by default in Spring Security 7, which Spring Boot 4 ships with. In this article we will understand why this 403 appears, the difference between the wrong way and the right way to fix it, and how to adjust your security configuration without opening a hole that comes back to haunt you in the next audit.
Your blocking code now scales like reactive in Spring Boot 4
There is a way to multiply your API throughput without rewriting a single line of business code, and most developers have not even noticed it shipped enabled by default. In Spring Boot 4, Virtual Threads are the default behavior on Tomcat and Jetty. That same blocking @RestController you have written since 2018 now holds thousands of concurrent requests on the same hardware.
For years the answer to "how do I scale this" was rewriting everything in WebFlux, with Flux, Mono and a learning curve that pushed half the team away. Spring Boot 4 changes that conversation. In this article you will see, with production code, what actually changes in your project, when the gain is real and when it does not happen.
Kubernetes Infrastructure in Java: How Pulumi Eliminates YAML
There's a way to manage all your Kubernetes infrastructure with real Java code, typed, testable, and Git-versionable. Most Spring Boot teams still don't know the Pulumi Java SDK enables this. No 400-line YAML files. No "works on my machine." Real infrastructure as code.
Page 2 of 4