When you're using Spring Security in web applications, I'm fairly sure that it can tie in with the
JEE standard security framework (container-managed authentication and authorization).
When you use container security, both the mechanism for authentication and authorization (Realm) and the database used by the Realm are externally-configurable options built into the web application server, not the application. In a case like that, Spring Security would simply invoke the container security API when it could and handle the finer points itself.