The pre-authentication sample application provided by spring-security is confusing. It seems to use an outdated XML configuration. I wanted to find a simple example, but I was only able to piece together the various configuration options from forum posts and the spring-security documentation. This sample is more of what I was looking for. Hopefully it's useful to others.
I also discovered an issue with Tomcat and spring-security's session fixation protection. I had to disable spring-security's session fixation protection in order to get the authentication working as expected.
mvn jetty:run
Point your web browser to http://localhost:8080/spring-security-j2ee-preauth-example - log in as either jimi or fred.
Edit $CATALINA_HOME/conf/tomcat-users.xml add the following:
<role rolename="ROLE_USER"/>
<role rolename="ROLE_ADMIN"/>
<user username="jimi" password="jimipw" roles="ROLE_USER,ROLE_ADMIN"/>
<user username="fred" password="fredpw" roles="ROLE_USER"/>
Deploy the war file:
cp target/spring-security-j2ee-preauth-example-1.0-SNAPSHOT.war $CATALINA_HOME/webapps/preauth.war
Point your web browser to http://localhost:8080/preauth - log in as either jimi or fred.