Home » Java » Spring Security: Migrating from 3.x to 4.x

Spring Security: Migrating from 3.x to 4.x

So I started out migrating the Spring components of my web application by updating Maven to pull the 4.x Spring releases.

I expected some changes with regards to Spring MVC, but I didn’t expect changes related to Spring Security.

The spring-security.xml started out as follows:

And the login.jsp had the standard fields and action:

<form name='loginForm' action="<c:url value='/j_spring_security_check' />" method='POST'>




<td><input type='text' name='j_username'></td>




<td><input type='password' name='j_password' /></td>



<td colspan='2'><input name="submit" type="submit" value="submit" /></td>




The problem started when I had the application entirely running on Spring 4.x and I tried logging in without success.

Nothing made sense.  I examined the logs which reported “Access is denied” and “anonymousUser”.  This seemed odd because the http posts seemed fine.

I tried modifying the spring-security.xml many times without success.  Then I tried to move the security configuration from xml to Java based.  Essentially, I introduced a SecurityConfig class (with @EnableWebSecurity annotation) but that didn’t work either.

Finally, I went back to the xml based configuration and added j_spring_security_check/j_username/j_password.  This solved the problem.  It still doesn’t make sense to my why I had to do that.

Here’s what the spring-security.xml ended up looking like:

<sec:http use-expressions=”true” auto-config=”true”>

<sec:csrf disabled=”true”></sec:csrf>

<sec:intercept-url pattern=”/css/*” access=”permitAll”/>

<sec:intercept-url pattern=”/images/*” access=”permitAll”/>

<sec:intercept-url pattern=”/jsp/login.jsp” access=”permitAll”/>

<sec:intercept-url pattern=”/**” access=”isAuthenticated()” />

<sec:form-login login-page=”/jsp/login.jsp” login-processing-url=”/j_spring_security_check” username-parameter=”j_username” password-parameter=”j_password” default-target-url=”/index.html” authentication-failure-url=”/jsp/login.jsp?login_error=1″ always-use-default-target=”true”/>

<sec:logout logout-url=”/j_spring_security_logout” invalidate-session=”true” logout-success-url=”/jsp/login.jsp?loggedout=true” />



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s