Spring Framework
The Spring Framework is an open-source application framework for the Java platform that provides comprehensive infrastructure support for developing modern, scalable enterprise applications, emphasizing dependency injection (DI) and inversion of control (IoC) to simplify configuration and promote loose coupling.[1] Created by Rod Johnson in 2003 as a response to the perceived complexity and over-engineering of early J2EE specifications, it originated from ideas in Johnson's book Expert One-on-One J2EE Design and Development and evolved into a full framework with the release of version 1.0 in 2004.[2][3]
At its core, the framework offers a lightweight container for managing application objects through DI, enabling developers to focus on business logic while handling cross-cutting concerns like transaction management, security, and data access.[4] It is modular, comprising about 20 distinct modules organized into key areas: the Core Container (including Beans, Core, Context, and Expression Language for foundational IoC and configuration); Data Access/Integration (supporting JDBC, ORM, JMS, and transaction management); Web (for servlet-based and reactive web applications); AOP and Instrumentation (for aspect-oriented programming and JVM integration); Messaging (for asynchronous communication); and Testing (for unit and integration testing).[3] This modular design allows selective use of components, making it adaptable to various deployment platforms, from traditional servers to cloud-native environments.[1]
The framework's design philosophy prioritizes simplicity, testability, and non-invasiveness, promoting portable service abstractions and POJO-based development to reduce boilerplate code and vendor lock-in.[3] Over its two decades, Spring has influenced the Java ecosystem profoundly, powering projects like Spring Boot for rapid application development, Spring Security for authentication, and Spring Data for repository abstractions, and it continues to evolve with support for modern standards like Jakarta EE and reactive programming.[5] As of November 2025, the current production version is 7.0.0, requiring Java 17 or later and aligning with Jakarta EE 11 for enhanced performance and cloud readiness.[1]
History and Development
Origins and Key Contributors
The Spring Framework was founded by Rod Johnson in 2002 as a response to the perceived complexities and inefficiencies in early Java 2 Platform, Enterprise Edition (J2EE) development practices. Johnson's motivation stemmed from his experiences as a consultant, where he observed that enterprise Java applications were often overburdened by invasive specifications, particularly the heavy use of Enterprise JavaBeans (EJBs), which required extensive boilerplate code and tied business logic to container-specific implementations. This critique was detailed in his book Expert One-on-One J2EE Design and Development, published in October 2002, which advocated for simpler, more maintainable approaches using plain old Java objects (POJOs) and introducing concepts like dependency injection to decouple components and promote testability. The accompanying framework code in the book laid the groundwork for what would become Spring, aiming to streamline enterprise development by providing lightweight alternatives to J2EE standards.
The initial open-source release of the Spring Framework occurred in June 2003, distributed under the Apache License 2.0 to encourage broad adoption and community contributions.[2] This early version focused on core inversion of control mechanisms and configuration management, marking a shift toward modular, non-intrusive Java application development. The framework quickly gained traction among developers seeking to avoid the verbosity of traditional J2EE while retaining its power for building robust enterprise systems.
Key early contributors included Rod Johnson as the primary architect, alongside Juergen Hoeller, who joined shortly after the initial release and became instrumental in enhancing the framework's core features, such as its bean factory and configuration support. The project was initially stewarded by Interface21, a company co-founded by Johnson in 2004 to provide commercial support and services around Spring. Interface21 was renamed SpringSource in November 2007 and acquired by VMware in 2009 for $420 million, which provided resources for further professionalization while keeping the core project open-source. In 2013, SpringSource was integrated into Pivotal Software, a joint venture involving VMware, EMC, and General Electric, before returning under VMware's direct stewardship. These contributors emphasized collaborative development, with Hoeller's full-time dedication helping transform Spring from an experimental codebase into a foundational Java ecosystem tool. Following VMware's acquisition by Broadcom in November 2023, the project is now stewarded under Broadcom's portfolio.[6][7][8]
Major Releases and Evolution
The Spring Framework's evolution has been marked by a series of major releases that have progressively enhanced its capabilities, aligning with advancements in the Java ecosystem and enterprise application development needs. Each version has introduced foundational features while maintaining backward compatibility where possible, enabling widespread adoption in production environments.[1]
Version 1.0, released on March 24, 2004, established the framework's core by introducing the Inversion of Control (IoC) container for dependency injection and basic Aspect-Oriented Programming (AOP) support, providing a lightweight alternative to heavy-weight J2EE specifications.[9]
Spring Framework 2.0, launched on October 3, 2006, expanded configuration flexibility with XML namespaces, added annotation-based configuration to reduce boilerplate code, and integrated more deeply with AspectJ for advanced AOP capabilities.[10]
The 3.0 release in December 2009 brought Java-based configuration via JavaConfig, introduced the Spring Expression Language (SpEL) for dynamic expressions, and added support for RESTful web services, facilitating more declarative and concise application setup.
Version 4.0, released on December 12, 2013, provided first-class support for Java 8 features like lambdas and streams, incorporated WebSocket for real-time communication, and emphasized modularization to allow selective inclusion of components.[11]
Spring 5.0, which went general availability on September 28, 2017, established Java 8 as the minimum baseline and introduced reactive programming paradigms through Spring WebFlux, enabling non-blocking, asynchronous applications built on Project Reactor.[12]
In November 2022, version 6.0 marked a significant shift by migrating to Jakarta EE 9+ APIs from Java EE, and added native image support via GraalVM for faster startup times and reduced memory footprints in cloud-native deployments.
The 6.2.x series, culminating in stable releases through 2025 including 6.2.12 on October 16, 2025, incorporated virtual threads from Java 21 for scalable concurrency, enhanced observability with Micrometer integrations for metrics and tracing, and served as the stable branch prior to the 7.0 release.[13][14]
Version 7.0, released on November 13, 2025, focuses on API versioning for better client compatibility, enhanced concurrency support including @ConcurrencyLimit and integration with Java's virtual threads, built-in resilience patterns like retries and concurrency limits, and optimizations for Java 17 and later (recommending Java 25), including tighter integration with Jakarta EE 11. It is the current stable release as of November 2025.[15][16]
Throughout its history, the framework's development has transitioned across organizational ownership: originating under Interface21 in 2004, rebranded as SpringSource in November 2007, acquired by VMware in August 2009 for $420 million, integrated into Pivotal Software in 2013, and following VMware's acquisition by Broadcom in November 2023, now stewarded under Broadcom's portfolio.[7][8]
Core Principles
Inversion of Control and Dependency Injection
Inversion of Control (IoC) is a core design principle in the Spring Framework where the framework assumes responsibility for managing the lifecycle and configuration of application objects, known as beans, thereby inverting the traditional flow of control from the application code to the container.[4] This approach promotes loose coupling by externalizing the creation and assembly of objects, allowing developers to focus on business logic rather than infrastructure concerns.[4] The Spring IoC container, implemented primarily through the BeanFactory and ApplicationContext interfaces, reads configuration metadata to instantiate, configure, and assemble beans as needed.[4]
Dependency Injection (DI) represents a specific implementation of IoC in Spring, wherein dependencies between objects are provided externally by the container rather than the objects creating or locating them themselves.[17] This technique enhances modularity, testability, and maintainability by making dependencies explicit and configurable.[17] Spring supports three primary DI mechanisms: constructor injection, setter injection, and field injection.
Constructor injection involves passing dependencies as arguments to a bean's constructor, ensuring that the bean is fully initialized with required dependencies upon creation and promoting immutability.[17] For example, a service class might declare a constructor parameter for a repository dependency, which the container resolves and injects during instantiation; this approach is preferred for mandatory dependencies as it prevents partial object states.[17] Setter injection, in contrast, uses setter methods to inject dependencies after the bean is instantiated, allowing for optional or reconfigurable dependencies but risking incomplete initialization if setters are not called.[17] An example would be annotating a setter method with @Autowired to wire a logger dependency. Field injection directly injects dependencies into private fields using annotations like @Autowired, bypassing getters and setters for simplicity, though it complicates testing due to hidden dependencies and is generally discouraged for production code.[17]
Beans in the Spring IoC container have configurable scopes that determine their lifecycle and instance sharing. The singleton scope, the default, ensures a single shared instance per container, suitable for stateless services like DAOs. Prototype scope creates a new instance each time the bean is requested, ideal for stateful objects requiring isolation. In web applications, request scope ties an instance to the lifecycle of an HTTP request, session scope to an HTTP session, application scope to the ServletContext, and websocket scope to a WebSocket session, enabling context-specific behaviors without manual management.
Spring provides multiple configuration options for defining beans and their dependencies, evolving from XML-based to more declarative approaches. XML configuration uses schema-defined elements to specify class names, dependencies, and properties, offering fine-grained control but verbosity. Annotation-based configuration leverages stereotypes like @Component, @Service, @Repository, and @Controller to mark classes for automatic detection via component scanning, with @Autowired, @Inject, or @Resource annotations handling injection points on fields, methods, or constructors. Java-based configuration, introduced as an alternative, employs @Configuration classes to define beans programmatically through @Bean methods, which return instances wired by the container, providing type safety and reduced XML reliance.[18]
To manage bean lifecycles, Spring supports callbacks that allow custom initialization and cleanup logic.[19] Beans can implement the InitializingBean interface to override the afterPropertiesSet() method for post-dependency setup or the DisposableBean interface for the destroy() method on shutdown.[19] Alternatively, the JSR-250 standard annotations @PostConstruct and @PreDestroy can be placed on methods for initialization after dependency injection and cleanup before destruction, respectively, offering a portable and less intrusive option.[19] These callbacks execute in a defined order: dependency injection first, followed by @PostConstruct or afterPropertiesSet(), and symmetrically for destruction.[19]
Aspect-Oriented Programming
Aspect-oriented programming (AOP) in the Spring Framework provides a way to modularize crosscutting concerns, such as logging, security, and caching, that span multiple objects and modules, complementing object-oriented programming by separating these concerns from core business logic.[20] This approach allows developers to declare common behaviors declaratively without scattering code throughout the application, addressing limitations in traditional OOP where such concerns often lead to duplication and reduced maintainability.[21] Spring's AOP implementation focuses on method-level interception for Spring-managed beans, enabling concise and powerful aspect definitions using either schema-based configuration or annotations.[20]
Core concepts in Spring AOP include aspects, which serve as modular units encapsulating crosscutting logic, typically implemented as regular classes or classes annotated with @Aspect; join points, which represent well-defined points in program execution, such as method calls or executions on Spring beans; pointcuts, which are expressions (using AspectJ's pointcut language) that match sets of join points to determine where advice applies; and advice, which defines the specific actions an aspect takes at those join points.[21] Advice comes in several types: before advice executes prior to the join point but cannot prevent its execution unless an exception is thrown; after returning advice runs only if the join point completes successfully; after throwing advice triggers on exceptions; after (finally) advice executes regardless of outcome; and around advice, the most versatile, wraps the join point to control its execution flow, including optional suppression or modification.[21] These elements work together to weave behaviors transparently around target objects.
Spring AOP employs a proxy-based mechanism for weaving aspects at runtime, without requiring compile-time modifications or special class loaders.[22] By default, it uses JDK dynamic proxies for target objects that implement one or more interfaces, allowing interception of interface method calls.[23] For classes lacking interfaces, Spring falls back to CGLIB (Code Generation Library) to generate subclasses that intercept method invocations, ensuring broad compatibility while maintaining pure Java implementation.[23] This proxying approach limits Spring AOP to method execution join points on Spring beans but covers the majority of enterprise needs efficiently.[22]
To extend capabilities beyond proxies, Spring integrates seamlessly with AspectJ, a full-featured AOP extension for Java, supporting annotation-driven development via annotations like @Aspect for aspect classes and @Pointcut for defining reusable pointcut expressions.[24] This style leverages AspectJ's type-safe pointcut language while relying on Spring's runtime infrastructure for weaving, without needing the AspectJ compiler.[24] For scenarios requiring broader join point support, such as field access or constructor execution, Spring enables load-time weaving (LTW), where AspectJ aspects are dynamically applied to class files as they load into the JVM, configured via Spring's LoadTimeWeaver bean and an aop.xml descriptor.[25]
Common use cases for Spring AOP include applying security advice to enforce authentication and authorization on methods, caching advice to store and retrieve results transparently for performance optimization, and custom logging or monitoring advice to track application behavior without invasive changes to business code.[20] These applications demonstrate AOP's strength in handling orthogonal concerns modularly. Aspects themselves are managed as Spring beans, benefiting from dependency injection for wiring dependencies like data sources or configuration properties.[24]
Core Modules
Container and Configuration
The Spring Framework's Inversion of Control (IoC) container serves as the core runtime environment for managing application objects, known as beans, by handling their instantiation, configuration, assembly, and lifecycle.[26] It enables developers to define beans and their dependencies declaratively, promoting loose coupling and modularity in Java applications.[27] The container supports multiple configuration formats, allowing flexibility in how beans are specified and wired together.[28]
At the foundation of the IoC container lies the BeanFactory interface, which provides basic functionality for bean instantiation and dependency resolution on demand.[26] BeanFactory is lightweight and suitable for resource-constrained environments, as it does not eagerly initialize singleton beans but creates them only when requested via getBean().[29] In contrast, the ApplicationContext extends BeanFactory with advanced enterprise features, including hierarchical contexts for parent-child relationships that allow bean inheritance across contexts, automatic resource loading from various sources like the classpath or file system, and built-in event publishing for application events such as context refresh or close.[26] Hierarchical contexts enable modular configurations, where child contexts can override or extend beans from parent contexts without duplication.[26] ApplicationContext also supports internationalization (i18n) through message sources and environment abstraction for profiles and properties, making it the preferred choice for most Spring applications.[30]
Beans are defined within the container using various mechanisms to specify their classes, scopes, dependencies, and initialization details.[27] In XML-based configuration, beans are declared using the <bean> element, which includes attributes like id, class, scope, and depends-on to outline the bean's identity, implementation, lifecycle scope (e.g., singleton or prototype), and prerequisites.[27] For annotation-driven approaches, classes are annotated with @Component, @Service, @Repository, or @Controller, and the container scans specified packages via @ComponentScan to detect and register these as beans automatically.[31] Programmatic definition is achieved through the BeanDefinitionRegistry interface, where developers can register custom BeanDefinition objects at runtime, offering fine-grained control for dynamic or conditional bean creation.
Dependency injection in the container is facilitated through autowiring, which automatically resolves and injects collaborators into beans based on predefined modes.[17] The byName mode matches dependencies by bean names against property or constructor parameter names, while byType resolves them by matching types, potentially requiring additional qualifiers if multiple candidates exist.[17] Constructor autowiring uses the bean's constructor to inject dependencies, ensuring immutability and mandatory resolution, and is the default mode for beans with a single constructor argument.[17] To resolve ambiguities in byType or constructor injection, the @Qualifier annotation specifies the exact bean name or type, overriding default matching rules for precise wiring.[28]
Spring supports environment-specific configurations through profiles and property sources, allowing beans to be activated conditionally based on runtime contexts like development, testing, or production.[30] The @Profile annotation on classes or @Bean methods limits registration to active profiles, set via system properties, environment variables, or programmatically, enabling segregated configurations without code duplication.[32] Externalized properties are managed through PropertySources, which integrate placeholders like ${property.key} into bean definitions, sourcing values from files, JVM arguments, or custom providers for flexible, non-hardcoded settings.[30]
For complex object creation beyond simple instantiation, the container employs FactoryBean implementations, which act as intermediaries to produce and configure objects dynamically.[27] A FactoryBean defines a getObject() method to return the actual bean instance, allowing encapsulation of creation logic such as proxy generation or resource pooling, while the container manages the FactoryBean itself as a regular bean.[33] Method injection addresses scenarios where singletons need to reference non-singleton (e.g., prototype) dependencies, using lookup methods annotated with @Lookup or XML <lookup-method> to dynamically resolve fresh instances at runtime without altering the singleton's state.[34] This technique leverages bytecode generation to override methods, ensuring thread-safe access to transient dependencies in long-lived beans.[34]
Expression Language and SpEL
The Spring Expression Language (SpEL) is a powerful expression language introduced in Spring Framework 3.0 that supports querying and manipulating object graphs at runtime.[35] Its syntax is similar to Unified EL, encompassing literals, relational operators, arithmetic operations, logical operators, and string concatenation, while offering additional capabilities such as method invocation and basic string templating.[36] SpEL enables dynamic evaluation of expressions within Spring configurations, allowing for flexible and concise definitions without extensive boilerplate code.[35]
SpEL is commonly used in annotations for runtime value injection and conditional logic. The @Value annotation, for instance, supports SpEL expressions to inject values from properties, system properties, or computed results into fields, methods, or parameters.[36] Similarly, @Bean methods can incorporate SpEL for dynamic bean creation based on contextual data, such as environment variables or bean references.[35] These usages promote loose coupling by deferring value resolution until application startup or execution.
Key features of SpEL include support for variables, which are referenced using the # prefix (e.g., #var), allowing access to context-specific data like root objects or custom variables set via EvaluationContext.[37] Type coercion is handled through the EvaluationContext interface, which resolves properties, methods, and fields while performing necessary conversions to match target types.[36] Collection operations are enhanced with projection (![] syntax to extract elements matching a subexpression) and selection (.?[ ] to filter collections based on criteria).[38][39] The safe navigation operator (?.) prevents NullPointerExceptions by returning null if a property or method invocation on a null object is attempted.[40]
SpEL integrates seamlessly across Spring components, including bean definitions for dynamic property setting in XML or annotation-based configurations, security expressions in Spring Security for authorization rules (e.g., @PreAuthorize), and AOP pointcuts for conditional advice application.[35] In bean definitions, it supports conditional creation, such as enabling a bean only if a system property meets a threshold:
java
@Bean
@ConditionalOnExpression("#{systemProperties['java.version'] > '17'}")
public MyBean myBean() {
return new MyBean();
}
@Bean
@ConditionalOnExpression("#{systemProperties['java.version'] > '17'}")
public MyBean myBean() {
return new MyBean();
}
This example evaluates the Java version at runtime to determine bean instantiation. Overall, SpEL's extensibility via custom resolvers and compilers enhances its utility for complex, runtime-adaptive applications.[35]
Data Access and Integration
JDBC and ORM Support
Spring's JDBC support provides abstractions that simplify database access by handling boilerplate code, resource management, and exception translation, making it easier to perform operations on relational databases.[41]
The JdbcTemplate class serves as the central component for executing SQL queries, updates, and batch operations, automatically managing connections, statements, and result sets while translating JDBC-specific exceptions into Spring's unchecked DataAccessException hierarchy.[42] For instance, it offers methods like query() for retrieving data, update() for modifications, and batchUpdate() for efficient bulk inserts or updates, reducing the need for manual try-catch-finally blocks.[41]
DAO support in Spring facilitates the implementation of data access objects through base classes like JdbcDaoSupport and the @Repository annotation, which enables automatic exception translation and component scanning for repositories.[43] The @Repository marker stereotype identifies classes as data access components, allowing Spring to intercept and convert vendor-specific exceptions into the portable DataAccessException types, such as DataAccessResourceFailureException or DataIntegrityViolationException.[44]
Connection management is handled via DataSource configuration, which Spring obtains through dependency injection, supporting JNDI lookups for enterprise environments and integration with connection pools like HikariCP for efficient resource handling.[45] HikariCP is preferred for its performance and concurrency features, configurable as the default pooling implementation in Spring Boot but adaptable in core Spring applications.[46]
For native SQL operations, NamedParameterJdbcTemplate extends JdbcTemplate to support named parameters (e.g., :name in queries), improving code readability over positional placeholders and preventing SQL injection when bound properly.[47] Similarly, SimpleJdbcInsert simplifies INSERT statements by allowing table name specification and automatic column inference from entity properties, executing via the underlying JdbcTemplate.[48]
Spring's ORM support integrates with frameworks like JPA, Hibernate, and EclipseLink, providing resource management, DAO implementations, and seamless transaction participation through EntityManagerFactory and transaction managers.[49] For JPA, Spring offers JpaRepository interfaces via Spring Data JPA, which extend CrudRepository to provide methods for entity persistence, querying, and pagination, with built-in support for Hibernate and EclipseLink as providers.[50] These integrations ensure ORM operations are wrapped in Spring transactions when annotated with @Transactional, aligning with the framework's declarative transaction model.[51]
Messaging and JMS
Spring's messaging support provides abstractions for integrating Java Message Service (JMS) into applications, enabling simplified handling of asynchronous communication without direct dependency on vendor-specific APIs.[52] This framework abstracts the complexity of JMS sessions, connections, and exception handling, allowing developers to focus on business logic while supporting both point-to-point and publish-subscribe messaging patterns.[52] By leveraging Spring's dependency injection, applications can configure and inject JMS resources declaratively, promoting loose coupling and testability.[52]
Central to this support is the JmsTemplate class, which facilitates synchronous sending and receiving of JMS messages.[53] It handles resource acquisition and release automatically, converting exceptions to Spring's unchecked hierarchy for consistent error management.[52] For sending, methods like convertAndSend serialize objects into JMS messages using built-in converters, such as SimpleMessageConverter for text or MappingJackson2MessageConverter for JSON payloads.[52] Receiving operations, such as receiveAndConvert, block until a message arrives and deserialize it back to domain objects, making it suitable for request-reply scenarios.[52] An example usage involves injecting JmsTemplate into a service and invoking jmsTemplate.convertAndSend("queueName", order) to dispatch an order object.[54]
For asynchronous message consumption, Spring introduces message-driven Plain Old Java Objects (POJOs) via the @JmsListener annotation, introduced in Spring 4.1.[55] This annotation marks methods to automatically register as JMS listeners, with Spring managing the underlying MessageListenerContainer for thread pooling, connection recovery, and error handling.[55] Listeners can participate in transactions through container configuration, ensuring message acknowledgment aligns with application-level commits, though detailed transaction semantics are handled elsewhere.[55] Error handling is customizable via @JmsListener attributes like errorHandler or global resolvers, allowing retries or dead-letter queue routing for failed processing.[55] A typical listener might be annotated as @JmsListener(destination = "inputQueue") public void processMessage([Order](/page/Order) order) { ... }, where the method parameter is automatically converted from the incoming JMS message.[56]
Spring integrates with popular message brokers through JMS-compliant providers and dedicated projects. For Apache ActiveMQ, configuration uses JMS ConnectionFactory implementations like ActiveMQConnectionFactory, enabling embedded or remote broker setups.[57] RabbitMQ support comes via the Spring AMQP project, which provides RabbitTemplate analogous to JmsTemplate and @RabbitListener for AMQP-specific messaging, bridging non-JMS protocols. Apache Kafka integration is offered through Spring for Apache Kafka, supporting Kafka producers and consumers with KafkaTemplate for sending and @KafkaListener for reactive or batch consumption.[58] These integrations share Spring's abstraction layer, allowing applications to switch brokers with minimal code changes.[57]
Connection factories are configured as Spring beans, often auto-configured in Spring Boot via properties like spring.jms.* for vendor selection and pooling.[57] For instance, an ActiveMQConnectionFactory can be defined with @Bean and properties for broker URL, username, and password, then injected into JmsTemplate or listener containers.[59] This setup ensures connections are cached and reused, with support for XA transactions where messages participate alongside other resources.[57]
For more advanced messaging patterns, Spring ties into the Spring Integration module, which extends JMS support with components like message channels for decoupling producers and consumers, routers for conditional message dispatching based on headers or payloads, and transformers for modifying message content en route. These elements enable enterprise integration patterns, such as content-based routing or enrichment, while building on core JMS abstractions.[60]
Transaction and Batch Processing
Transaction Management
Spring's transaction management provides a consistent abstraction for handling transactions across various transaction APIs, including JTA, JDBC, Hibernate, and JPA, enabling both declarative and programmatic approaches to ensure data integrity in enterprise applications.[61] This abstraction simplifies transaction demarcation, exception handling, and resource synchronization without requiring an application server for basic cases.[61] By leveraging the Spring container, developers can focus on business logic while the framework manages ACID properties like atomicity, consistency, isolation, and durability.[61]
Declarative transaction management in Spring primarily uses the @Transactional annotation, which declares transactional semantics on classes, methods, or interfaces and is processed via AOP proxies to intercept calls and apply transaction advice.[62] The annotation's propagation attribute controls transaction boundaries, with PROPAGATION_REQUIRED (the default) joining an existing transaction or creating a new one if none exists, ensuring seamless participation in outer transactions.[63] In contrast, PROPAGATION_REQUIRES_NEW suspends any existing transaction and starts a new one, allowing independent commit or rollback independent of the outer context.[63] The isolation attribute specifies the transaction's isolation level, such as Isolation.DEFAULT (using the database's default), READ_COMMITTED (preventing dirty reads), REPEATABLE_READ (avoiding non-repeatable reads), or SERIALIZABLE (full isolation to prevent phantom reads).[64] Rollback rules are configured via rollbackFor and noRollbackFor attributes; by default, unchecked exceptions (like RuntimeException) trigger rollback, while checked exceptions do not, but custom rules can override this based on exception types or patterns.[65]
At the core of Spring's transaction infrastructure is the PlatformTransactionManager interface, which abstracts transaction coordination for specific resources.[61] For JDBC-based applications, DataSourceTransactionManager binds a JDBC Connection from a DataSource to the current thread and manages its transaction lifecycle.[61] For JPA, JpaTransactionManager integrates with a single EntityManagerFactory, handling EntityManager transactions and supporting direct JDBC access within the same transaction.[66]
In contrast to declarative approaches, programmatic transaction management offers fine-grained control using the TransactionTemplate class, which simplifies demarcation through a callback mechanism that handles begin, commit, and rollback automatically.[67] Developers inject a TransactionTemplate configured with a PlatformTransactionManager and invoke its execute method with a TransactionCallback, avoiding boilerplate code compared to direct API usage like JTA.[67] This method suits scenarios requiring conditional transaction logic not easily expressed declaratively.
Spring supports chained or nested transactions through propagation types like PROPAGATION_NESTED, which uses database savepoints to allow inner operations to rollback to a specific point without affecting the outer transaction.[63] Savepoints act as markers within the transaction, enabling partial rollbacks for nested calls while preserving the overall transaction integrity upon successful completion.[63]
For distributed transactions spanning multiple resources, Spring integrates with JTA via JtaTransactionManager, supporting XA protocols for two-phase commit coordination.[68] Embedded transaction managers like Atomikos provide non-XA alternatives or full XA support without an external server, allowing declarative @Transactional usage across XA-compliant resources such as multiple databases.[68]
Batch Framework
Spring Batch is a lightweight, comprehensive framework within the Spring ecosystem designed to enable the development of robust batch applications for processing large volumes of data, such as ETL (Extract, Transform, Load) operations vital to enterprise systems.[69] It provides reusable functions for logging/tracing, transaction management, job processing statistics, job restart, skip, and resource management, allowing developers to focus on business logic rather than infrastructure concerns.[69] The framework follows a domain-driven design, modeling batch concepts like jobs and steps to support restartability, scalability, and fault tolerance in production environments.[70]
At its core, Spring Batch organizes processing into jobs and steps, forming the foundational architecture for batch workflows. A job represents a complete batch process, composed of one or more independent steps executed sequentially or in parallel, with each step encapsulating a specific phase of data handling.[70] Steps leverage three primary interfaces to implement the read-process-write pattern: ItemReader, which reads data one item at a time from sources like files, databases, or queues, including composite readers for sequential access from multiple sources (introduced in Spring Batch 5.2); ItemProcessor, an optional component that transforms or validates individual items; and ItemWriter, which writes processed items in bulk to destinations such as databases or files.[71] This pattern promotes modularity, enabling developers to configure readers, processors, and writers as Spring beans for reuse across jobs.[71]
Spring Batch primarily employs chunk-oriented processing for steps, where data is read sequentially, processed into configurable chunks, and written within transaction boundaries to ensure atomicity and consistency.[72] The chunk size determines the number of items processed per transaction—typically set to balance memory usage and performance, with a default of 1 if unspecified—and can be adjusted via the chunk() method in step configuration.[72] To enhance fault tolerance, the framework supports skip and retry policies: skips allow non-fatal exceptions to be ignored up to a configurable limit (default 10), logging the skipped items for later review, while retries enable automatic reattempts of failed items a specified number of times for transient errors, excluding fatal exceptions like data integrity violations.[73][74] These mechanisms, combined with transaction rollback on chunk failure, provide robust error handling without halting the entire job.[74]
Central to job orchestration is the JobRepository, a persistence mechanism that stores metadata about job and step executions, including status, parameters, and execution history, to enable features like restart and monitoring.[75] By default, it uses JDBC to interact with relational databases via Spring's JdbcTemplate, creating tables for jobs, steps, and executions, but can be configured with JPA for object-relational mapping in environments preferring ORM-based persistence, MongoDB for NoSQL support (introduced in Spring Batch 5.2), or a resourceless in-memory implementation for testing and lightweight use cases.[75][76][77] This metadata allows jobs to resume from the last successful step upon failure, ensuring idempotency in long-running processes.[75]
For scaling large-scale workloads, Spring Batch offers several techniques to distribute processing. Partitioning divides a step into sub-steps (partitions) based on data ranges or keys, executed in parallel either within a single JVM or across multiple processes, with a master step coordinating workers via the JobRepository.[78] Multi-threaded steps enable concurrent item processing within a single process using a Spring TaskExecutor, configurable with thread counts and synchronization to avoid race conditions on shared resources.[78] Remote chunking extends this by offloading chunk execution to remote workers over messaging (e.g., JMS), where the master dispatches chunks and aggregates results, ideal for distributed environments.[78] These approaches can achieve linear scalability for data-intensive tasks, limited primarily by infrastructure constraints.[78]
Integrations enhance Spring Batch's usability in enterprise settings. Scheduling is achieved by combining jobs with Spring's TaskScheduler or @Scheduled annotations, triggering executions at defined intervals without replacing dedicated schedulers like Quartz.[69] The TaskExecutor integrates natively for asynchronous and multi-threaded execution within steps, providing thread pool management for performance tuning.[79] Monitoring leverages Micrometer-based metrics for job durations, item counts, and error rates, exposable via actuators for integration with tools like Prometheus, alongside JobRepository queries for execution history and listener interfaces for custom auditing.[80] Transaction boundaries in batch steps align with Spring's declarative management for commit intervals matching chunk sizes.[72]
Web and Reactive Support
Spring MVC Framework
Spring Web MVC, often referred to as Spring MVC, is the original web framework within the Spring ecosystem, built on the Jakarta Servlet API to enable the development of web applications using the Model-View-Controller (MVC) architectural pattern.[81] It provides a flexible and extensible mechanism for handling HTTP requests, processing business logic in controllers, and rendering views, all while leveraging Spring's dependency injection for managing components.[81] Since its inception with the Spring Framework, Spring MVC has been the go-to solution for traditional, servlet-based web applications, emphasizing imperative, blocking I/O operations.[81]
At the core of Spring MVC is the DispatcherServlet, which acts as the front controller responsible for coordinating the entire request-response lifecycle.[81] Upon receiving an HTTP request, the DispatcherServlet consults a HandlerMapping to identify the appropriate handler (typically a controller method) based on the request's URL, HTTP method, and other attributes.[81] Once the handler is selected, a HandlerAdapter invokes the handler method, which processes the request, populates a model with data, and returns a logical view name.[81] Finally, a ViewResolver translates the logical view name into a concrete view implementation (such as JSP or Thymeleaf), which renders the response back to the client.[81] This workflow ensures loose coupling between components, allowing customization of each step through Spring's configuration. Controllers in this setup are instantiated and managed as Spring beans via the Inversion of Control (IoC) container.[81]
Spring MVC supports an annotation-driven programming model, where developers use annotations to define controllers and map requests declaratively.[82] The @Controller annotation marks a class as a web controller, while @RequestMapping (or its specialized variants like @GetMapping and @PostMapping) annotates methods to handle specific HTTP requests, including support for path variables (e.g., /users/{userid} to extract userid as a method parameter), query parameters via @RequestParam, and content negotiation to select response formats based on the client's Accept header.[82] For example:
java
@Controller
public class UserController {
@RequestMapping(value = "/users/{id}", method = RequestMethod.GET)
public String getUser(@PathVariable Long id, Model model) {
// Retrieve user by id and add to model
return "userProfile"; // Logical view name
}
}
@Controller
public class UserController {
@RequestMapping(value = "/users/{id}", method = RequestMethod.GET)
public String getUser(@PathVariable Long id, Model model) {
// Retrieve user by id and add to model
return "userProfile"; // Logical view name
}
}
This approach simplifies configuration compared to traditional XML mappings.[82]
To enable annotation-based features, Spring MVC relies on annotation-driven configuration, which can be activated via the <mvc:annotation-driven /> element in XML-based setups or the @EnableWebMvc annotation in Java-based configuration classes.[83] These mechanisms automatically register necessary components, such as RequestMappingHandlerMapping for URL-to-method mapping and RequestMappingHandlerAdapter for method invocation, while also enabling advanced features like type conversion and validation.[83] In Java configuration, @EnableWebMvc imports the DelegatingWebMvcConfiguration, which delegates to sub-configurations for MVC-specific beans.[83]
Input validation in Spring MVC integrates seamlessly with the Bean Validation API (JSR-303, extended by JSR-380), allowing developers to annotate domain objects with constraints like @NotNull or @Size.[84] By applying the @Valid annotation to controller method parameters, Spring automatically triggers validation using a Validator instance, typically LocalValidatorFactoryBean, which bootstraps a JSR-303 provider like Hibernate Validator.[84] Validation errors are captured in a BindingResult object, enabling custom error handling, such as redirecting to an error view or returning error responses.[84] For instance:
java
@PostMapping("/users")
public String createUser(@Valid @ModelAttribute User user, BindingResult result) {
if (result.hasErrors()) {
return "userForm"; // Return to form with errors
}
// Save user
return "redirect:/users";
}
@PostMapping("/users")
public String createUser(@Valid @ModelAttribute User user, BindingResult result) {
if (result.hasErrors()) {
return "userForm"; // Return to form with errors
}
// Save user
return "redirect:/users";
}
This ensures robust data integrity without manual validation code.[84]
For building RESTful web services, Spring MVC introduces @RestController, a composite annotation that combines @Controller and @ResponseBody to automatically serialize method return values directly into the HTTP response body, bypassing view resolution. This is facilitated by HttpMessageConverters, a chain of converters that handle the transformation between Java objects and HTTP payloads in formats such as JSON (via Jackson) or XML (via JAXB).[85] Developers can customize the converters by registering additional beans, ensuring support for content negotiation where the response format is determined by the request's Accept header or a path extension.[85] In Spring Boot applications, default converters are auto-configured for common formats, enhancing REST API development efficiency.[85]
Spring WebFlux and Reactive Programming
Spring WebFlux is a reactive web framework introduced in Spring Framework 5.0, designed for building non-blocking, asynchronous web applications that handle high concurrency with fewer resources.[86] It supports Reactive Streams back pressure and operates on a fully non-blocking server architecture, enabling scalable applications for scenarios like real-time data streaming and microservices.[87] Unlike traditional synchronous models, WebFlux processes requests asynchronously, allowing threads to be released back to the pool during I/O operations.[88]
The reactive model in Spring WebFlux is built on Project Reactor, the default reactive library chosen for its seamless integration and support for Reactive Streams.[87] Project Reactor provides two primary types: Mono, representing an asynchronous result of 0 to 1 item, and Flux, for 0 to N items, enabling the composition of asynchronous data streams with operators for transformation, filtering, and error handling.[89] WebFlux leverages non-blocking I/O primarily through the Netty server, though it also supports Undertow and asynchronous Jakarta Servlet 5.0+ containers (such as Tomcat 10.1 and Jetty 11).[86] This setup allows applications to scale efficiently under load, as a small number of threads can manage thousands of concurrent connections without blocking.[90]
As of Spring Framework 6.2, WebFlux introduces support for rendering multiple views in a single request or streaming rendered views, facilitating advanced HTML streaming use cases.[91]
For defining reactive endpoints, WebFlux extends the annotation-based approach with @RestController, where controller methods can return Mono or Flux types to handle asynchronous responses.[86] For instance, a method annotated with @GetMapping might return a Mono for a single deferred value, automatically serializing it to the HTTP response body once resolved, thus avoiding thread blocking during computation or database calls.[92] This integration ensures that the entire request-response cycle remains non-blocking, with Spring automatically subscribing to the reactive types and managing back pressure.[93]
As an alternative to annotated controllers, WebFlux offers Router Functions, a functional programming model for routing and handling requests using immutable contracts.[94] Developers define routes with RouterFunction instances, matching requests via predicates (e.g., path, method, content type) and delegating to HandlerFunction for processing, which typically returns a Mono.[94] This approach promotes composability and testability, as routes can be nested or combined declaratively, for example:
java
RouterFunction<ServerResponse> route = RouterFunctions.route()
.GET("/hello", request -> ServerResponse.ok().bodyValue("[Hello World](/page/Hello_World)!"))
.build();
RouterFunction<ServerResponse> route = RouterFunctions.route()
.GET("/hello", request -> ServerResponse.ok().bodyValue("[Hello World](/page/Hello_World)!"))
.build();
Such functions can be registered directly with the RouterFunctionMapping bean, providing a lightweight option for simple APIs without class-based controllers.[94]
WebFlux includes robust support for WebSocket messaging, enhanced with STOMP (Simple Text Oriented Messaging Protocol) for structured communication over WebSockets.[95] Annotated controllers use @MessageMapping to handle incoming STOMP messages, similar to @RequestMapping in MVC, with methods processing Message<byte[]> payloads reactively via Mono or Flux.[96] For browser compatibility, SockJS provides a fallback transport layer, emulating WebSocket with polling or streaming when native support is unavailable.[97] Session management is handled through SimpMessagingTemplate for broadcasting and user-specific routing, with @SendTo or @SendToUser annotations directing responses to topics or individual sessions, ensuring reactive propagation of messages.[98]
Server-sent events (SSE) in WebFlux enable one-way streaming from server to client, ideal for live updates like notifications or progress reports.[99] Endpoints return a Flux from controllers or handler functions, where each event carries data, event type, and optional ID or retry intervals, automatically formatted as text/event-stream MIME type.[94] This leverages Reactor's streaming capabilities for back-pressured, non-blocking delivery.
WebFlux integrates with the RSocket protocol for binary, reactive communication, supporting request-response, request-stream, and fire-and-forget patterns over TCP or WebSocket.[100] In a WebFlux application, RSocket can be exposed via @MessageMapping in controllers or functional handlers, using RSocketRequester for outbound interactions, with payloads wrapped in Mono or Flux for full reactive interoperability.[101] This enables efficient, multiplexed messaging in distributed systems, such as between microservices.[102]
Additional Features
Remote Access and Remoting
Spring Framework facilitates remote access to services through abstractions that simplify the exposure and invocation of beans across distributed systems, primarily via synchronous remote procedure call (RPC) mechanisms. These abstractions decouple application code from underlying transport protocols, enabling developers to configure remoting declaratively using dependency injection. While earlier versions emphasized Java-specific protocols like RMI, modern usage prioritizes HTTP-based and standards-compliant approaches for interoperability.
Support for Remote Method Invocation (RMI) in Spring allows services to be exposed as RMI endpoints without direct interaction with RMI registries or stubs. Developers use the RmiServiceExporter to publish a Spring bean as an RMI service and the RmiProxyFactoryBean on the client side to create a proxy for remote invocations, handling exceptions and resource management transparently. This integration leverages Java's built-in RMI infrastructure for Java-to-Java communication over TCP/IP. However, RMI support has been deprecated since Spring Framework 5.3 due to security vulnerabilities in Java serialization and lack of broader adoption, with full removal in version 6.0.[103]
Hessian and Burlap provide lightweight, HTTP-based alternatives for RPC-style remoting, suitable for cross-language scenarios. Hessian employs binary serialization over HTTP for efficient data transfer, using HessianServiceExporter to expose services and HessianProxyFactoryBean for client proxies that marshal method calls into HTTP requests. Burlap, developed by Caucho Technology, offers a human-readable XML-based serialization variant with analogous classes (BurlapServiceExporter and BurlapProxyFactoryBean), trading efficiency for inspectability. Both protocols avoid the complexity of SOAP while supporting any Java interface, but like RMI, they rely on Java serialization and were deprecated in Spring 5.3 for similar security and maintenance reasons, removed in 6.0.[103]
The HTTP Invoker protocol enables Java-to-Java remoting over HTTP using Spring's custom serialization format, combining the simplicity of HTTP with Java-specific optimizations. Servers configure HttpInvokerServiceExporter to handle incoming requests, while clients use HttpInvokerProxyFactoryBean to generate proxies that serialize method invocations into HTTP POST bodies. This approach supports Spring's AOP features for remote calls and integrates seamlessly with servlet containers, but it is limited to Java environments. Deprecated in Spring 5.3 and removed in 6.0, it is no longer recommended due to deserialization risks and the preference for RESTful standards.[103]
For contemporary REST-based remoting, Spring provides client abstractions to consume HTTP services synchronously or reactively. The RestTemplate class, a synchronous HTTP client, simplifies REST interactions with methods like getForObject and postForEntity, supporting URI templates and automatic marshalling via HttpMessageConverter. However, it was placed in maintenance mode in Spring 5.0 and officially deprecated in 7.0, with migration encouraged to newer alternatives due to its blocking nature. The WebClient, introduced in Spring 5.0, offers a non-blocking, reactive interface built on Project Reactor, enabling fluent HTTP requests with backpressure handling and integration with Spring WebFlux for scalable remote access. In Spring 6.1, the RestClient emerged as a modern synchronous successor to RestTemplate, providing a builder-style API for concise, fluent calls while supporting the same converters and error handling. These clients facilitate remote service invocation in microservices architectures without tying to specific protocols.[104][105][106][107]
Spring integrates with gRPC, a high-performance RPC framework developed by Google, through the dedicated Spring gRPC project, which provides Spring Boot auto-configuration and annotations for service implementation. Developers annotate interfaces with @GrpcService to expose them as gRPC servers, leveraging Protocol Buffers for schema definition and efficient binary serialization over HTTP/2. Client-side support includes @GrpcClient for injecting stubs, with built-in load balancing and retry mechanisms. This integration aligns gRPC with Spring's dependency injection and lifecycle management, making it suitable for polyglot microservices requiring low-latency communication. As of version 0.9.0 in 2025, it supports observability via Micrometer and is progressing toward full GA integration in Spring Boot 4.[108][109]
For SOAP and broader web services, Spring supports integration with Apache CXF, an open-source framework for building RESTful and SOAP services. CXF embeds within Spring applications via XML or Java configuration, using JaxWsServerFactoryBean or annotations like @WebService to publish endpoints, while clients employ JaxWsProxyFactoryBean for dynamic proxies. The CXF Spring Boot starter automates endpoint scanning and security configuration, enabling seamless exposure of Spring beans as JAX-WS or JAX-RS services over HTTP. This combination leverages CXF's extensibility for WS-* standards while benefiting from Spring's inversion of control.[110][111]
Testing and Instrumentation
The Spring Framework provides robust support for unit and integration testing through its TestContext framework, which manages application contexts and facilitates dependency injection in test environments. This framework enables developers to load Spring contexts efficiently, apply configuration classes or XML files, and execute tests with minimal boilerplate, promoting test-driven development practices. Key annotations like @ContextConfiguration allow precise control over context initialization, supporting both full and partial loading strategies to optimize test performance.[112]
For more targeted testing, Spring Boot extends these capabilities with annotations such as @SpringBootTest, which loads the complete application context for comprehensive integration tests, including auto-configuration and embedded servers where needed. In contrast, @WebMvcTest offers context slicing, focusing solely on the web layer—particularly Spring MVC components like controllers— to enable faster, isolated unit tests without loading unrelated beans. These slicing annotations reduce test execution time by limiting the scope of context bootstrapping, making them ideal for focused verification of individual layers.[113]
MockMvc serves as a primary utility for testing Spring MVC controllers without starting an HTTP server, simulating requests and verifying responses within the test environment. It integrates seamlessly with the Spring Test module, allowing assertions on status codes, content types, and JSON payloads through a fluent API, thus ensuring controller logic behaves correctly under mock conditions. This approach avoids the overhead of full server spins, enhancing test speed and reliability.
Instrumentation in Spring includes load-time weaving (LTW) using the AspectJ agent, which dynamically applies aspect-oriented programming (AOP) aspects to classes as they load into the JVM, without requiring compile-time modifications. Enabled via @EnableLoadTimeWeaving or JVM arguments like -javaagent, LTW is particularly useful in tests to inject cross-cutting concerns such as logging or security without altering source code, bridging Spring's proxy-based AOP with AspectJ's full weaving capabilities.[25]
Spring's JMX integration, powered by the MBeanExporter, exposes managed beans (MBeans) for runtime monitoring and instrumentation, allowing external tools to query bean attributes and invoke operations. Configured declaratively, it automatically registers Spring-managed objects as JMX-compliant MBeans, supporting features like notification emission and remote access over JSR-160 connectors, which aids in diagnosing application health during development and testing.[114]
Core instrumentation tools in the Spring Framework lay the groundwork for profiling, with built-in support for observability through the Observation API in recent versions, enabling the publication of metrics and traces from framework components like data access and web layers. These precursors to Spring Boot Actuator's advanced endpoints provide foundational hooks for tools like Micrometer, allowing developers to instrument custom beans for performance analysis without vendor lock-in.[115]
Ecosystem and Extensions
Spring Boot for Rapid Development
Spring Boot is an extension of the Spring Framework designed to simplify the development of production-ready applications by emphasizing convention over configuration and reducing boilerplate code. It enables developers to create stand-alone Spring-based applications that can be run using java -jar, facilitating rapid prototyping and deployment without requiring extensive XML configurations or manual setup of dependencies.
A core feature of Spring Boot is its auto-configuration mechanism, which automatically configures Spring components based on the dependencies present in the application's classpath. The @EnableAutoConfiguration annotation triggers this process, where Spring Boot scans for jars and applies sensible defaults, such as setting up a data source if a database driver is detected or configuring web MVC if Spring Web is included. This approach minimizes explicit configuration while allowing overrides through properties or custom beans when needed.[116]
Spring Boot further streamlines dependency management through its starters, which are predefined dependency descriptors that bundle commonly used libraries and their transitive dependencies. For instance, the spring-boot-starter-web starter includes dependencies for building web applications with Spring MVC, Tomcat as the embedded server, and other essentials like Jackson for JSON processing, all managed via a Bill of Materials (BOM) in the spring-boot-starter-parent parent POM for consistent versioning. This eliminates version conflicts and simplifies the pom.xml or build.gradle files.[117]
To support easy deployment, Spring Boot integrates embedded web servers such as Tomcat (the default), Jetty, or Undertow, allowing applications to run as self-contained executable JARs without needing a separate server installation. Developers can switch servers by excluding the default and including an alternative starter, like spring-boot-starter-jetty, enabling quick testing and production deployment in containerized environments.
Spring Boot Actuator provides production-ready features for monitoring and managing applications, exposing endpoints for health checks, metrics, and observability. The /actuator/health endpoint aggregates the status of application components, such as database connections or external services, reporting an overall UP, DOWN, or OUT_OF_SERVICE state. Metrics are collected via Micrometer, supporting integrations with systems like Prometheus for JVM memory usage, HTTP requests, and custom gauges, accessible at /actuator/metrics.
As of November 2025, the current stable version is Spring Boot 3.5.7, aligning with Spring Framework 6.2.x or later, with support for virtual threads (introduced in version 3.2) enabling better concurrency handling in I/O-bound applications without altering code. It also includes updates for observability and dependency upgrades, such as Flyway 11.7 for database migrations.[118] Spring Boot 4.0, released in late 2025 alongside Spring Framework 7.0 (GA November 13, 2025), features robust API versioning support through URI path or header-based strategies, deeper Jakarta EE 11 integration, native image optimizations for GraalVM, built-in resilience patterns, modularization of auto-configurations, and support for Kotlin 2.2.[119][15][120]
Relationship with Jakarta EE
The Spring Framework emerged in the early 2000s as a lightweight, POJO-based alternative to the Enterprise JavaBeans (EJB) 2.x specification within Java EE (now Jakarta EE), which was criticized for its invasive nature requiring developers to implement specific interfaces, extend base classes, and use extensive deployment descriptors that tightly coupled business logic to the EJB container.[121] Introduced by Rod Johnson in his 2002 book Expert One-on-One J2EE Design and Development, Spring's first milestone release in 2004 emphasized inversion of control (IoC) and aspect-oriented programming (AOP) to simplify enterprise development without the overhead of full EJB containers.[1] This approach allowed applications to run in lightweight servlet containers like Tomcat, promoting modularity and reducing boilerplate code compared to EJB's heavyweight model.[121]
In modern versions, Spring Framework 6.0 and later align closely with Jakarta EE standards, with 6.x adopting Jakarta EE 9 as the baseline API level (compatible up to Jakarta EE 10) and 7.0 (GA November 2025) adopting Jakarta EE 11, transitioning to the jakarta.* namespace for packages like Servlet, JPA, and Bean Validation.[122][123][15] This alignment enables seamless integration with Jakarta EE-compliant servers such as Tomcat 10.1 and Jetty 11, while Spring's annotations like @Transactional mirror declarative mechanisms in Jakarta EE's Contexts and Dependency Injection (CDI) for managing transactions and lifecycles.[122] Key overlaps include dependency injection, where Spring's IoC container provides functionality similar to CDI's @Inject via @Autowired or constructor injection, offering portable bean management across environments.[26] For transactions, Spring's abstraction layer supports JTA (Java Transaction API) alongside local options like JDBC, allowing declarative management without EJB-specific ties, as seen in @Transactional applying to any POJO rather than container-managed beans.[124][125] Spring also integrates natively with JPA (Jakarta Persistence API) through modules like Spring Data JPA, enabling ORM providers such as Hibernate to handle persistence in a standards-compliant manner without full Jakarta EE stack requirements.[126]
Spring's design offers advantages in portability and testing ease, as its POJO-centric model avoids the full-stack compliance mandates of Jakarta EE, which require certified application servers for features like distributed transactions and security—allowing Spring applications to deploy flexibly on embedded servers or cloud-native platforms while still leveraging Jakarta EE APIs when beneficial.[121][1] This contrasts with Jakarta EE's emphasis on vendor-neutral specifications for enterprise-scale deployments, where Spring provides a more modular, non-intrusive path for developers seeking to avoid container lock-in.[127]
Migration from EJB to Spring typically involves refactoring session beans into Spring-managed POJOs (using scopes like singleton or prototype), converting entity beans to standard JPA entities backed by Hibernate or another provider, and transforming message-driven beans into Spring's asynchronous messaging support via @MessageMapping or JMS listeners.[128] Spring's built-in JTA support facilitates handling distributed transactions during such transitions, often bridging to existing Jakarta EE infrastructure without full rewrites, and tools like Spring Boot Migrator can automate much of the process for legacy EJB applications.[128][129]
Security Considerations
Historical Vulnerabilities
One of the most significant historical vulnerabilities in the Spring Framework is Spring4Shell, identified as CVE-2022-22965 and disclosed in March 2022. This remote code execution (RCE) flaw affects Spring MVC and Spring WebFlux applications running on JDK 9 or later, specifically when deployed as a traditional WAR file on Apache Tomcat.[130] The vulnerability arises from the way Spring handles data binding for request parameters, allowing attackers to manipulate class loader behavior through specially crafted HTTP requests.[131] Affected versions include Spring Framework 5.3.0 through 5.3.17 and 5.2.0 through 5.2.19.[130]
Exploitation of Spring4Shell involves sending a malicious POST request with parameters that exploit Tomcat's class loading mechanism, leading to arbitrary file writes on the server and potential RCE without authentication.[132] For instance, attackers could use oversized or specially named parameters to trigger the creation of temporary files in the web application's temporary directory, enabling code injection if combined with other misconfigurations.[133] This issue highlighted risks in the dynamic nature of Spring's web layer, particularly in how inversion of control (IoC) and data binding interact with server-specific features like Tomcat's resource handling. Real-world exploitation was observed shortly after disclosure, including attempts to deploy malware such as Mirai botnets.[133]
Mitigation for Spring4Shell requires upgrading to Spring Framework 5.3.18 or 5.2.20 and later versions, where the data binding logic was hardened to prevent class loader manipulation.[130] Additional protections include deploying applications as Spring Boot executable JARs (which are not vulnerable), using alternative servlet containers like Jetty, and implementing strict input validation on request parameters.[130] The vulnerability underscored the importance of securing dynamic bean creation in Spring's core principles against web-layer exploits.
Another notable pre-2025 vulnerability is CVE-2016-1000027, a potential RCE issue stemming from unsafe Java deserialization in the Spring Framework, particularly when using features like HttpInvokerServiceExporter for remote invocations.[134] This flaw allows attackers to execute arbitrary code if the application deserializes untrusted data and a suitable gadget chain is present in the classpath, affecting Spring Framework versions 4.0.0 through 4.2.9. It was addressed in Spring Framework 4.3.0 and later versions, with recommendations to avoid deserializing untrusted inputs altogether. Like Spring4Shell, this vulnerability exposed risks in Spring's remoting capabilities when handling external data, prompting broader adoption of secure deserialization practices.[135]
Recent Security Issues
In 2025, the Spring Framework encountered several security vulnerabilities primarily affecting its web and reactive components, highlighting ongoing challenges in handling path traversals, expression evaluations, annotation processing, and WebSocket communications. These issues were disclosed throughout the year and addressed through timely patches, underscoring the importance of regular updates in enterprise applications.[136]
One notable vulnerability, CVE-2025-41242, disclosed in August 2025, involves a path traversal flaw in Spring MVC applications deployed on non-compliant Servlet containers, such as certain embedded servers that fail to properly normalize paths. This medium-severity issue (CVSS 6.5) allows attackers to access files outside the intended directory via crafted HTTP requests, potentially exposing sensitive configuration or application data. Affected versions include 6.2.0 to 6.2.9, 6.1.0 to 6.1.21, and 5.3.0 to 5.3.43.[137][138]
In September 2025, CVE-2025-41243 was reported as a critical vulnerability (CVSS 9.8) in Spring Cloud Gateway Server WebFlux, enabling unauthorized modification of Spring Environment properties through malicious Spring Expression Language (SpEL) injections. This flaw arises from improper evaluation contexts in reactive routes, potentially allowing attackers to alter application behavior, such as bypassing authentication or injecting arbitrary code, leading to full unauthorized access in misconfigured gateways. It impacts Spring Cloud Gateway versions 4.1.0 to 4.1.5 and 4.0.0 to 4.0.10.[139][140]
Also in September 2025, CVE-2025-41249 exposed a privilege escalation risk due to flawed annotation detection in the Spring Framework's method security mechanisms, particularly when using @EnableMethodSecurity with type hierarchies involving parameterized supertypes. This medium-severity issue (CVSS 7.5) can result in unintended access to secured methods, as annotations may not propagate correctly, allowing privilege abuse in applications relying on role-based access control. Vulnerable versions span 6.2.0 to 6.2.10, 6.1.0 to 6.1.22, and 5.3.0 to 5.3.44.[141][142]
In May 2025, CVE-2025-41232 was disclosed as a medium-severity vulnerability (CVSS 6.5) in Spring Security's method security, allowing authorization bypass for annotations on private methods when @EnableMethodSecurity is used. This issue affects applications where private methods with security annotations are inadvertently exposed, potentially leading to unauthorized access. Affected versions include 6.2.0 to 6.2.5, 6.1.0 to 6.1.18, and 5.3.0 to 5.3.41.[143]
In October 2025, CVE-2025-41253 was identified as a moderate-severity flaw (CVSS 6.8) in Spring Cloud Gateway Server WebFlux, where SpEL expressions could expose environment variables or system properties if the actuator endpoint is enabled and misconfigured. This vulnerability allows potential information disclosure or further exploitation in gateway setups. It affects Spring Cloud Gateway versions 4.1.6 to 4.1.7 and 4.0.11 to 4.0.12.[144]
The year closed with CVE-2025-41254 in October 2025, a CSRF vulnerability in STOMP over WebSocket implementations that permits attackers to bypass session checks and send unauthorized messages without proper origin validation. Rated medium severity (CVSS 6.5), this affects real-time applications using Spring's WebSocket support, potentially enabling message spoofing or denial-of-service in collaborative environments. It targets Spring Framework versions 6.2.0 to 6.2.11, 6.1.0 to 6.1.23, and 5.3.0 to 5.3.45.[145][146]
To mitigate these vulnerabilities, Spring released patches in versions 6.2.12 and later for open-source support, alongside enterprise updates for 5.3.x and 6.1.x branches, which developers should apply promptly. Best practices include enforcing strict Servlet container compliance, validating SpEL expressions in reactive components, auditing annotation hierarchies in secured applications, implementing CSRF tokens for WebSocket endpoints, and integrating regular dependency scanning tools like OWASP Dependency-Check. These measures, combined with secure configuration defaults in modern web modules, help prevent exploitation in production deployments.[14][136]