It depends. If you want modify authorizations, you can use Requestmap and save all the authorization configurations in database, then deliver different versions with external bootstrap data definitions.

Alternatively you can use org.springmodules.commons.configuration.CommonsConfigurationFactoryBean to store and retrieve your configuration as key, value pair in database table

    <bean name="DatabaseConfiguration" class="org.apache.commons.configuration.DatabaseConfiguration">
            <constructor-arg type="javax.sql.DataSource" ref="dataSource"/>
            <constructor-arg index="1" value="CONFIG_TABLE_NAME"/>
            <constructor-arg index="2" value="KEY_COLUMN_NAME"/>
            <constructor-arg index="3" value="VALUE_COLUMN_NAME"/>
    </bean>

Spring comes with a couple of options for externalizing Spring configuration details into property files that can be managed outside of the deployed application:

1. Property placeholder configurers replace placeholder variables placed in property values with values from an external properties file.
2. Property overriders override bean property values with values from an external properties file. In addition, the open source Jasypt project offers alternative implementations ofS pring’s property placeholder configurer and overrider that can pull those values from encrypted properties files. A placeholder configurer can be configured like this for classpath A placeholder configurer can be configured like this for filepath if db.properties contains as follows jdbc.driverClassName=DriverclassName jdbc.url=Driverclass://localhost/applicationname/ jdbc.username=test jdbc.password=test1 Now we can replace the hardcoded values in the Spring configuration with place-holder variables based on the properties in db.properties

It's an interesting question. Since Spring Security should be configured in root webapp context, you can't externalize its configuration to other contexts. Also you can't change the set of config resources from inside the context. So, you should do it from outside:

• You can use a well-known file system location:

   <context-param>
       <param-name>contextConfigLocation</param-name>
       <param-value>
           /WEB-INF/applicationContext.xml
           file:///C:\config.xml
       </param-value>
   </context-param>
  

• System properties are resolved in contextConfigLocation, so you can use it:

   <context-param>
       <param-name>contextConfigLocation</param-name>
       <param-value>
           /WEB-INF/applicationContext.xml
           file:///${configPath}
       </param-value>
   </context-param>
  

  and -DconfigPath=...

• You can override XmlWebApplicationContext.getResource() and implement whatever you want:

  public class MyXmlWebApplicationContext extends XmlWebApplicationContext {
      private static final String JNDI_PREFIX = "jndi:/";        
      @Override
      public Resource getResource(String location) {
          if (location.startsWith(JNDI_PREFIX)) return getJndiResource(location);
          else return super.getResource(location);
      }
      protected Resource getJndiResource(String location) { ... }
  }
  

  and

  <context-param>
      <param-name>contextConfigLocation</param-name>
      <param-value>
          /WEB-INF/applicationContext.xml
          jndi:/...
      </param-value>
  </context-param>        
  <context-param>
      <param-name>contextClass</param-name>
      <param-value>com.example.MyXmlWebApplicationContext</param-value>
  </context-param>
  

You can add a org.springframework.beans.factory.config.PropertyPlaceholderConfigurer, which references an external file, then use the ${key} syntax without your Spring configuration files to reference key/value pairs in the externalized property file.

Another solution is to specify an absolute path in your web.xml to reference a Spring contextConfigLocation.

<context-param>
   <param-name>contextConfigLocation</param-name>
   <param-value>/absolute_path/ldap.xml, /WEB-INF/context/dao-context.xml</param-value>
</context-param> 

Here is a free configuration tool: http://go.eeye.com/icwt that tests your environment for highly recommended configuration updates, how the local OS is configured (identifies potential problem areas), identifies areas concerning APTs, and shows if your processes and code are signed.