Security Role Mapping in Spring Security.

I am new to springs security and trying to configure spring security in my application. My application server is WAS. Initially the application security was set up as below in deployment descriptor.

<security-constraint> <display-name>Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>*.faces</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>USER</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>EMS AD Real</realm-name> <form-login-config> <form-login-page>/userlogin.faces </form-login-page> <form-error-page>/userloginerror.faces</form-error-page> </form-login-config> </login-config> <security-role> <role-name>USER</role-name> </security-role>

Now I have configured the application using spring security as below.

<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd"> <global-method-security secured-annotations="enabled"> </global-method-security> <http auto-config="true" access-denied-page="/accessDenied.jsp"> <intercept-url pattern="*.faces" access="ROLE_USER" /> <form-login login-processing-url="/j_spring_security_check" login-page="/userlogin.faces" default-target-url="/" authentication-failure-url="/userloginerror.faces" /> </http> <authentication-provider> <user-service> <user name="testuser" password="testuser" authorities="ROLE_USER" /> </user-service> </authentication-provider> </beans:beans>

When I deploy my application in WAS earlier, USER role would map to security role mappings. All users configured in AD base will be thus validated.

Now -

How can I set up the USER Role in Spring Security?

Can I mention the security role as done in web.xml explicitly so that there are no username/password listed in security file as above.

Any help on this?

You can use
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="preauthAuthProvider" />
</sec:authentication-manager>

<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="userDetailsService" />
</bean>
</property>
</bean>

Where userDetailService is the service which will return all the user related inforamtion and you can map roles using below code

<bean id="userDetailsService" class="Your Service Class">
<property name="userRoles2GrantedAuthoritiesMapper">
<bean class="org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper">
<property name="attributePrefix" value="ROLE_" />
</bean>
</property>
</bean>