The Spring Security filter (actually its a whole filter chain) is configured in the root
WebApplicationContext. In web.xml you have a
DelegatingFilterProxy that finds the filter in the context and delegates all requests to it.
Note that Magnolia invalidates the session when logging into AdminCentral.
Alternative 1: Configure the filter in web.xml
With Magnolia and Blossom you do it the same way, except instead of using
DelegatingFilterProxy you use
InstallationAwareDelegatingFilterProxy. It will defer looking up the filter in the context until magnolia has installed/updated and your module have created the root
Configure the delegating filter like this:
Alternative 2: Configure the filter in the Magnolia filter chain
It's also possible to add it to the filter chain if you want to centralize everything in your module and keep web.xml clean. Use
info.magnolia.cms.filters.FilterDecorator for this.
You'll want to make sure its placed early in the chain. You should also make sure that the filter chain isnt bypassed for any requests that you want Spring Security to filter.