It really depends on the level of security you want to impose. You could just use simple web.xml based access control with realms, usernames and passwords.

Security of your webservices is another matter. From the Spring Security FAQ:

Web applications are vulnerable to all kinds of attacks which you should be familiar with, preferably before you start development so you can design and code with them in mind from the beginning. Check out the OWASP web site for information on the major issues facing web application developers and the countermeasures you can use against them.

Spring Security is certainly an option. It is for the most part, easy (nowadays) to integrate with Spring and has a flexible authentication module.

You should also consider Apache Shiro. A comparison to Spring Security question has already been answered – Shiro vs. SpringSecurity and Shiro also integrates nicely with Spring.

There are also some other questions already answered on this topic – How to secure a service REST with spring3? and Looking for a Simple Spring security example

I do not think there is a definitive answer to the question in it’s current form, but I hope this helps all the same.