Spring Security now has new module called spring-security-javaconfig. It provides a fluent builder API to configure spring security in Java code instead of XML. I used the CI build in a simple demo blog application and I really like it to have no XML file in the whole web project. The code snippet belows shows the security configuration from this demo appliction.
To get spring security support up and running the "DelegatingFilterProxy" must be added to your web application filter chain. This can also be done without any XML by using the Servlet API 3.0 features by using the Spring "AbstractAnnotationConfigDispatcherServletInitializer" base class to configure the web-app. The web-app configuration is shown in the code listing below.
More details on spring security java config see the github project.