Migrating an GWT Application from Spring Security 3.x to 4.0

My GWT Application mainly uses Spring Security Annotations in the service methods, but also a general API filtering by role. The migration from Spring Security 3.1 to 4.0.1 took longer than expected, here are my main pitfalls:

hasRole(‘USER’) expression behavior changed:

In Spring Security 3 the code above checks if the current Authentication has authority “ADMIN” in Spring Security 4 this checks for authority “ROLE_ADMIN”. So rename your authorities or use the hasAuthority expression.

Cross Site Request Forgery (CSRF) is enabled by default: This protects against CSRF. My Web Application does not use CSRF Token, so I had to deactivate that nice feature (line 12).

X-Frame-Options is Deny by default: Prevents your site from allowing iFrames which can be used to do evil stuff. The GWT Activity and Places pattern is working with iframes so we need to active them for our applikation. (line 13-15).

Update all the XML schema locations: All XML files need to contain the correct spring schema locations.

The username and password field has changed: My GWT Application does not use the generated login page from Spring Security, instead I’m doing it all with Ajax requests. In Spring 3 the fields were named “j_username” and “j_password”. In Spring 4 they are renamed to “username” and “password”. (yay)

Make sure your servlet api is matching the one from your container: The provided web applications servlet API depends on the container type that is used: Tomcat, Jetty and so on.. So make sure the javax.servlet-api version in your classpath is correct! The Mavens GWT plugin target “gwt:run” uses Jetty which provides the servlet API version 3.0: