Forgive me if I am mistaken, but he is talking about the built-in J2EE container security that uses the HttpServletRequest APIs and not Spring Security (though I am guessing the former was derived from the latter).
I certainly didn't use any Spring stuff when I had my related problem.
[Message sent by forum member 'tacitust' (tacitus_at_yahoo.com)]
http://forums.java.net/jive/thread.jspa?messageID=390316