I just encountered a situation very similar to the original question, and this is what I'm going to work by: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth.html

EDIT:

In our situation the session and the cookie tied to it is all managed externally, and we must only validate and authorize each request based on the external session store.

So we'll be using a custom SecurityContextRepository instead.

EDIT2:

Writing a SecurityContextRepository which checks each request against the common token store was trivial, wiring it into Spring Security was insane: The http element in security-context.xml does not allow customization of the securityContextPersistenceFilter, so I had to emulate it with plain beans. Not fun at all.

If you want to use spring security with authentication being delegated to a web service, You need to implement AuthenticationProvider interface provided by springs security framework. You can do some thing like this

 public class AuthProviderImpl implements AuthenticationProvider 
 {
      @Override
   public Authentication authenticate(Authentication authentication)
     throws AuthenticationException 
        {
          WebServiceAuthClient client = //get an handle to your web service
          //get user name, password from authenticate object
          client.autheticat(username, pwd);
        }

 }

Configure your web app to use spring security http://static.springsource.org/spring-security/site/petclinic-tutorial.html