Spring Security with Dynamic Role Management

I am currently migrating from Struts1 / EJB3 to Spring MVC 4.0.4 / EJB3. Application Server - JBoss 4.2.3 (JBoss 7.x in progress).

My current security roles are stored in the database (ex: admin, validator and employee). For each role, administrators can check or revoke the features (use cases) they want access to (add a new file, update a file, delete a file, etc.). I also have a "method" table that stores all of my "protected" functions (add a new file, update a file, delete a file, etc.).

My application needs to have user management and role management, so application owners (admins) can add user and roles, and make changes to existing roles as needed.

There is no login form. The login sequence is as follows:

• Create an HTTP session.
• Collect the current user id from JCIFS.
• Search for a user in Active Directory.
  • If found in AD, find the user record in the user table.
  • If found in the database, synchronize user data with AD (from step 4).
    • Collect the roles from the database and install them into the user session.
  • Redirect to the home page of the application.

I would like to take advantage of Spring Security and at the same time offer the flexibility that my clients use for their applications.

Any hints would be much appreciated.

thank