Sometimes in a webapp you will be in a situation where a filter/app/container other than Spring will be responsible for authenticating a user and setting the user principal, leaving the authz to the Spring webapp. A portlet container is a typical example. There is a few examples floating around showing how to do this in Spring 2.x, but it appears some thing (packages, etc) have changed for Spring 3.x, so here is how to make it work. Use the following in your applicationContext.xml