upgrade to Spring-Security 4.X后的登录问题

升级到4.2.3后，登录出现

HTTP Status 403 - Could not verify the provided CSRF token because your session was not found

sec http里面需要增加：

<sec:headers>
    		<sec:frame-options disabled="true"/>
    		<sec:content-type-options disabled="true"/>
    		<sec:cache-control disabled="true"/>
    		<sec:xss-protection disabled="true"/>
    	</sec:headers>
		<sec:session-management session-authentication-strategy-ref="sas" />

		<sec:csrf disabled="true" />

配置文件：

	<!--session认证成功后的session策略 -->
	 <bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
	    <property name="migrateSessionAttributes" value="true"/>
	    <!--
	    <property name="retainedAttributes">
	      <list>
	    	<value>SPRING_SECURITY_SAVED_REQUEST</value>
	    	<value>docUser</value>
	      </list>
	    </property>
	     -->
	  </bean>

sec:form-login里面的：

<sec:form-login login-page="/login.jsp"
			username-parameter="j_username"
			password-parameter="j_password"
			login-processing-url="/j_security_check"
			default-target-url="/index.jsp"	authentication-failure-url="/login.jsp?error=true"/>
		<sec:http-basic />

原来3的时候，没

username-parameter="j_username"
			password-parameter="j_password"

如果不增加的话，会报

org.springframework.security.authentication.BadCredentialsException: Empty Username

完整的配置文件：

	<sec:http auto-config="false" servlet-api-provision="true" use-expressions="true"  >
		<sec:intercept-url pattern="/log*" access="permitAll" />
		<sec:intercept-url pattern="/css/**" access="permitAll" />
		<!-- 需要经过验证后才能访问的 -->
		<!-- <sec:intercept-url pattern="/**" access="isAuthenticated()" /> -->

		<sec:form-login login-page="/login.jsp"
			username-parameter="j_username"
			password-parameter="j_password"
			login-processing-url="/j_security_check"
			default-target-url="/index.jsp"	authentication-failure-url="/login.jsp?error=true"/>
		<sec:http-basic />

		<sec:logout logout-success-url="/logout.jsp" />
		<sec:remember-me />

		<!-- 过滤器 -->
		<sec:custom-filter ref="jeePreAuthenticatedFilter" position="PRE_AUTH_FILTER" />


		<sec:headers>
    		<sec:frame-options disabled="true"/>
    		<sec:content-type-options disabled="true"/>
    		<sec:cache-control disabled="true"/>
    		<sec:xss-protection disabled="true"/>
    	</sec:headers>
		<sec:session-management session-authentication-strategy-ref="sas" />


		<sec:csrf disabled="true" />


	</sec:http>

	<!--session认证成功后的session策略 -->
	 <bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
	    <property name="migrateSessionAttributes" value="true"/>
	  </bean>

具体参考：

http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html#m3to4-xmlnamespace-form-login