There is no way to start an application with spring security 4 due to the CSFR by default, every ajax request is reject with a 403 access denied on /zkau. when it is disabled all works right.

<csrf disabled="true"/>