The first project I used Spring Security (formerly known as ACEGI) the setup was so complicated that we used the Spring Bean format from the beginning. In the new project I am working on the Spring Security was setup with the XML Namespace configuration which looks like this:
<security:http auto-config="true"
<security:intercept-url pattern="/images/**/*" filters="none"/>
<security:intercept-url pattern="/secure/**" access="ROLE_AUTHENTICATED"/>
<security:intercept-url pattern="/help/**" access="ROLE_AUTHENTICATED"/>
<security:form-login login-page='/login/loginRequired.action' authentication-failure-url='/login/loginFailure.action' default-target-url="/login/login.action" always-use-default-target="true"/>
<security:logout invalidate-session="true" logout-success-url="/login/logout.action"/>
<security:concurrent-session-control max-sessions="1"/>
</security:http>
But that leaves me with little room for customization. Well, a few hours digging around in Spring Security and I finally found several ways to customize the configuration setup.
1. Custom Authentication Provider
One of the most important part of the Spring Security setup is the Authentication Provider and not everyone is happy with the default. In order to have my own Authentication Provider used I only need tag the Authentication Provider bean as such with the custom-authentication-provider element. This looks like this:
<bean id="daoAuthenticationProvider" class="com.wb.ads.pp.util.WBAuthenticationProvider">
<security:custom-authentication-provider/>
<property name="userDetailsService" ref="userService"/>
</bean>
2. Custom Access Decision Maker
This is for whatever reason an attribute on the HTTP element and takes a reference to your implementation:
<security:http auto-config="true" access-decision-manager-ref="accessDecisionManager">
3. Custom Filter
You only need to tag your filter with custom-filter element and add an attribute before or after with the predefined filter name that goes after or before your custom filter:
<bean id="wbppDebugFilter" class="com.wb.ads.pp.util.DebugSecurityFilter">
<security:custom-filter before="CHANNEL_FILTER"/>
</bean>
Have fun - Andy