2. What’s new in Spring Security 4.0

2. What’s new in Spring Security 4.0
Prev	Part II. Getting Started	Next

There are 150+ tickets resolved with the Spring Security 4.0 release. Below are the highlights of the new features found in Spring Security 4.0.

Web Socket Support
Test Support
Spring Data Integration
CSRF Token Argument Resolver
More Secure Defaults
Methods with role in them do not require ROLE_ For example, previously the following would be required within XML configuration:
```
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
```
Now you can optionally omit the ROLE_ prefix. We do this to remove duplication. Specifically, since the expression hasRole already defines the value as a role it automatically adds the prefix if it is not there. For example, the following is the same as the previous configuration:
```
<intercept-url pattern="/**" access="hasRole('USER')"/>
```
Similarly, the following configuration:
```
@PreAuthorize("hasRole('ROLE_USER')")
```
is the same as this more concise configuration:
```
@PreAuthorize("hasRole('USER')")
```
Many Integration Tests Added to Samples
Deprecate @EnableWebMvcSecurity - by updating the minimum Spring Version, we can now allow defaulting MVC integration with @EnableWebSecurity but still allow it to be overridden

Prev	Up	Next
1. Introduction	Home	3. Java Configuration