Things to Fix When Upgrading from Spring Security 3.2.x to 4.x

Some things have been changed in Spring Security 4.x compared to previous 3.2.x branches. They are not overwhelming but you may have to deal with them so that your application can work without any problem after upgrading to Spring 4.x release. I noted them down during my upgrade process, and post here in case you need.

  • For a long time login processing url, username and password request parameter names of UsernamePasswordAuthenticationFilter were j_spring_security_check, j_username and j_password consecutively. They are now replaced with login, username and password by default.
  • CSRF protection feature has been available for sometime, but it was disabled by default. However, Spring Security 4.x comes with CSRF protection enabled by default. This change has consequences to your web requests, especially pages which perform form submission with HTTP POST method. You need to add an hidden input parameter as following;
    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}">

  • <http> element had use-expressions=”false” in Spring 3.2.x series. Therefore <intercept-url> elements were usually being configured with ROLE_xxx access attributes by default. This has changed in Spring 4.x as well. From now on, Spring Security expressionas are active by default, and anyone who starts using Spring Security should provide intercept-url access attributes with expressions returning boolean value.
  • logout processing url has been also changed to logout from spring_security_logout. LogoutFilter is now only accepting POST requests. Therefore, you need to add a simple logout form which is calling logout with HTTP POST method.
    <form action="logout" method="post">
        <input type="submit" value="Logout"> 
        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}">

However, it is not currently possible to change configuration of LogoutFilter so that it should work with HTTP GET requests.

  • RememberMeAuthenticationFilter were querying _spring_security_remember_me request parameter to save initiate remember-me mechanism. This has changed to remember-me in Spring 4.x.
  • Some classes in acl packages were also changed as well. Therefore you may need to change your acl bean configuration if you are using ACL in your project.