Integrating with Spring Security

Once in a while people ask on Stack Overflow how to use this with Spring Security. I was consoling people for years for a proper implementation. Finally I have decided not to impelement anything for Spring Security at all. You might ask why? The answer is rather simple, Spring Security's APIs are so complex and different to those in Tomcat that it would mean to provide a complete reimplementation which is a maintenance nightmare. Something I am not willing to do and see no real benefit in. Fortunately, the Spring guys were smart enough to think about lazy people like me: pre-authentication to the rescue! Spring Security comes with a set of classes completely wrapping authentication already perfomed by the container which is called Java EE Container Authentication.

Reconciling Spring Security with container-managed Security (CMS)

Assuming that your webapp now perfectly works with the given authenticator and realm, you need to tell that Spring Security.

Add this to your beans.xml, e.g., root-context.xml or security.xml:

<beans …>
<!-- Don't forget to add the Security namespace! -->
[…]
  <!-- Add this -->
  <security:http>
    <security:intercept-url pattern="/app/**"
      access="hasAnyRole('User','Editor','Admin')" />

    <security:jee mappable-roles="User,Editor,Admin" />

  </security:http>
[…]
</beans>

Make sure that your webapp path /app is intercepted in the web.xml in the first place otherwise it won't secure your sites. Moreover, mappable-roles have to match the security roles defined in your web.xml.

Attention
Spring Security suffers from a series of bugs effectively limiting proper usage of pre-authentication scenarios: SEC-1869, SEC-1869 additions, SEC-3198, SEC-3199, and SEC-3200.

You have successfully configured the Spring Security integration in your webapp. It is now ready to use.