If you're working in a very complex environment where the baseline Spring Security functionality—although very robust—doesn't cover everything, you may end up at a point where you'll need to build the entire Spring Security filter chain and supporting infrastructure from the ground up yourself. This is an area that is partially documented in the Spring Security reference documentation, but tends to trip up a lot of people. Some refer to this type of configuration as the "alternate universe" of Spring Security.
Building and wiring all the requisite beans yourself, provides you with a very high degree of flexibility and customization that the
<http>-style configuration won't ...