Mostly this applies to applications using XML-based configurations. In the 4.0 release, there was an effort to align the XML-based Configuration defaults with the more recent JavaConfig counterparts.
For starters, turning on DEBUG logging for org.springframework.security will give you some hints.
The first change was in the main Spring Security Filter Chain. The CSRF token filter is added to the filter chain and turned on by default. This may cause your login form submit URL to fail the CSRF check and you will see the following in the log:
06/22/2015 18:26:19 DEBUG org.springframework.security.web.FilterChainProxy (FilterChainProxy.java:324) - /doLogin at position 5 of 13 in additional filter chain; firing Filter: 'CsrfFilter' 06/22/2015 18:26:19 DEBUG org.springframework.security.web.csrf.CsrfFilter (CsrfFilter.java:106) - Invalid CSRF token found for http://localhost/unity/doUserLogin
The change is described in SEC-2347. To restore the previous functionality, you can turn off CSRF by adding a disabled <csrf> element to your <http> configuration. Keep in mind that if you don't have another mechanism for CSRF protection in your app, you really should consider enabling Spring's CSRF.
<http use-expressions="true">
<csrf disabled="true"/>
<intercept-url pattern="/app/login.do" access="permitAll()" />
<intercept-url pattern="/app/logout.do" access="permitAll()" />
<intercept-url pattern="/app/**" access="isAuthenticated()" />
<intercept-url pattern="/**" access="permitAll()" />
<form-login login-processing-url="/doLogin"
. . .
/>
</http>
