I did not work with oauth but I believe spring has out of the box provider for oauth. I said you need to configure the filters to delagate authorization, then create a security session and store in the holder, once it is authenticated, will need to populate the grant authority in the user. then use the annotation to security methods. interviewer said spring security is not all about filters. so please Google the answers...