I am working on adding Single Sign On to my Spring 2.5.6 web app,
(have 1 production client so far) with Spring Security 2.0.5; this is
my 1st web app project (100+ web pages; 250+ source files) intranet
only usage.

I have a working test configuration with Spring LDAP 1.3 that does form
login authentication using ApacheDS, doing Bind Authentication and roles via LDAP groups.

I want to be able implement Site Settings stored in the database that an IT admin user
can setup/change to configure the LDAP Security configuration,
rather than having the LDAP hostname, port#, root dc=domain, managerDn,
manager-password, whether groups provide roles / authorities or not, search-filters,
ldap.userAttrName (e.g uid or sAMAccountName), etc, etc hard coded
into an applicationContext-security.xml file.

I want to support a wide range of LDAP server configurations, including Active Directory,
as it is, , the one my customers will most likely be using.

Spring Security config via a static xml file is an inflexible approach and
if ...-security.xml is embedded in the .war file, updating the webapp war
file becomes 'redo the configuration' nightmare for customer IT admin's.

But since Spring Security is implemented via a complex filter chain proxy
configured via xml (and web.xml entries), i don't see how to switch it on,
say after a "setup wizard" mode, and to have it stay configured even when
the war file is replaced, without having the web-app generate and add/update
xml config files in it own application server configuration.

This "self modifying" approach is bad practice, SO can anyone outline a better approach?

Do i have to write a custom beanFactory that fetches Site Settings
from the database (or supplies 1st time defaults from a .properties file)?