We are please to announce the release of Spring Security 4.0.0.RC1. This release resolved 40 tickets. You can find a highlight of the changes below.

• Updated Defaults - As security evolves, so does Spring Security. We took this opportunity to ensure that the defaults were more secure. For example, the XML Namespace support now enables CSRF protection by default.
• Polish WebSocket Security - We received very valuable feedback from the community which allowed us to polish the WebSocket security. We also added XML Namespace configuration support for WebSocket security. Details can be found on the update blog Preview Spring Security WebSocket Support
• Minimum Dependency Versions - The minimum dependency versions have been bumped up. For example, Spring Security now requires Spring 4.1.x.
• Removed Deprecations - while this may not be everyone's favorite feature, it is necessary to clean up unnecessary code. This makes the code base easier to understand and maintain.
• Documentation Formats - when we updated to using asciidoctor, the PDF and HTML Multi Page outputs were removed. We once again provide HTML Single, HTML Multi Page, EPub and PDF outputs.
• Simplified Configuration - By leveraging Spring 4.x new features, Spring Security's minimal configuration has been drastically simplified. For example, the minimal configuration to secure a web application can be seen below:

@EnableWebSecurity
public class SecurityConfig {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER");
    }
}

Please try out the updates and provide feedback. Our current plan is to go GA in January.

Spring Security | JIRA | Reference