Well . . .

»Before you can apply security to a web application, you need a web application to secure«

http://spring.io/guides/gs/securing-web/