Token based authentication with spring security

Question

I am trying to implement token based authentication with spring security. Planning to use Header based authentication token.

My web.xml file is this

    <?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
    <listener> 
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
    </listener>

    <servlet>
        <servlet-name>api</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/config/api-servlet.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>api</servlet-name>
        <url-pattern>/api/*</url-pattern>
    </servlet-mapping>

    <welcome-file-list>
        <welcome-file>login.html</welcome-file>
    </welcome-file-list>
    <session-config>
        <session-timeout>0</session-timeout>
    </session-config>
</web-app>

my admin servlet is this

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns:sec="http://www.springframework.org/schema/security"
       xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">

    <context:property-placeholder location="/WEB-INF/database.properties" />
    <context:component-scan base-package="com.netphenix.employee.api" />

    <tx:annotation-driven transaction-manager="hibernateTransactionManager"/>
    <mvc:annotation-driven />


    <bean class="org.springframework.web.servlet.view.ContentNegotiatingViewResolver">
        <property name="defaultContentType" value="text/html"/>
        <property name="ignoreAcceptHeader" value="true"/>
        <property name="favorPathExtension" value="true"/>
        <property name="order" value="1"/>
        <property name="mediaTypes">
            <map>
                <entry key="html" value="text/html"/>
                <entry key="json" value="application/json"/>
            </map>
        </property>
        <property name="viewResolvers">
            <list>
                <bean class="org.springframework.web.servlet.view.BeanNameViewResolver"/>
                <!-- Use tiles2 for views -->
                <bean class="org.springframework.web.servlet.view.UrlBasedViewResolver">
                    <property name="viewClass" value="org.springframework.web.servlet.view.tiles3.TilesView" />
                </bean>
            </list>
        </property>
        <property name="defaultViews">
            <list>
                <ref bean="jsonView"/>
            </list>
        </property>
    </bean>

    <bean id="jsonView" class="org.springframework.web.servlet.view.json.MappingJacksonJsonView">
        <property name="contentType" value="application/json;charset=UTF-8"/>
    </bean>

    <bean id="dataSource"
          class="com.mchange.v2.c3p0.ComboPooledDataSource">
        <property name="driverClass" value="${database.driver}" />
        <property name="jdbcUrl" value="${database.url}" />
        <property name="user" value="${database.user}" />
        <property name="password" value="${database.password}" />
        <property name="maxPoolSize" value="${jdbc.maxPoolSize}" />
        <property name="minPoolSize" value="${jdbc.minPoolSize}" />
        <property name="maxStatements" value="${jdbc.maxStatements}" />
        <property name="testConnectionOnCheckout" value="${jdbc.testConnection}" />
    </bean>

    <bean id="sessionFactory"
          class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
        <property name="dataSource" ref="dataSource" />
        <property name="packagesToScan" value="com.netphenix.employee.model"/>
        <property name="hibernateProperties">
            <props>
                <prop key="hibernate.dialect">${hibernate.dialect}</prop>
                <prop key="hibernate.show_sql">${hibernate.show_sql}</prop>
                <prop key="hibernate.hbm2ddl.auto">${hibernate.hbm2ddl.auto}</prop>             
            </props>
        </property>
    </bean>

    <bean id="hibernateTransactionManager"
          class="org.springframework.orm.hibernate4.HibernateTransactionManager">
        <property name="sessionFactory" ref="sessionFactory" />
    </bean>
    <bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
    </bean>
    <bean id="freemarkerConfigFactory" class="org.springframework.ui.freemarker.FreeMarkerConfigurationFactoryBean">
        <property name="templateLoaderPath" value="classpath:templates/"/>
    </bean>

<!--
    <bean id="daoAuthenticationProvider"
          class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <property name="userDetailsService" ref="userDetailsService"/>
    </bean>

    <bean id= "authenticationManager" class= "org.springframework.security.authentication.ProviderManager">
        <constructor-arg>
            <list>
                <bean class= "org.springframework.security.authentication.dao.DaoAuthenticationProvider">
                    <property name="userDetailsService" ref="userDetailsService"/>
                </bean>
            </list>
        </constructor-arg>
    </bean>-->

        <sec:http>
        <sec:intercept-url pattern="/login.html"/>
        <sec:intercept-url pattern="/api/**" access="ROLE_ADMIN" />
        <sec:form-login login-page="/login.html"
                        authentication-failure-url="/login.html?error=failed"
                        login-processing-url="/login-please.html" />
        <sec:logout logout-url="/logoff-please.html"
                    logout-success-url="/logoff.html" />
    </sec:http>

    <sec:authentication-manager>
        <sec:authentication-provider user-service-ref="userDetailsService">
            <sec:password-encoder hash="md5"/>
        </sec:authentication-provider>
    </sec:authentication-manager>

    <sec:http auto-config="true">
        <sec:intercept-url pattern="/api/**" access="ROLE_ADMIN" />
        <sec:logout logout-success-url="/login" />
    </sec:http>

    <sec:authentication-manager>
        <sec:authentication-provider>
            <sec:user-service>
                <sec:user name="mkyong" password="password" authorities="ROLE_USER" />
                <sec:user name="eclipse" password="password" authorities="ROLE_ADMIN" />
            </sec:user-service>
        </sec:authentication-provider>
    </sec:authentication-manager>
    <sec:global-method-security pre-post-annotations="enabled" />
</beans>

EDIT: UserDetailsService

@Service("userDetailsService") 
public class UserDetailsServiceImpl implements UserDetailsService {
  @Autowired
  private UserDao userDao;
  @Autowired 
  private Assembler assembler;

  @Transactional(readOnly = true)
  public UserDetails loadUserByUsername(String username)
      throws UsernameNotFoundException, DataAccessException {

    UserDetails userDetails = null;
//      User userEntity = userDao.getUser(username);
User userEntity = new User();
userEntity.setUsername("admin");
userEntity.setPassword("$2a$10$hbxecwitQQ.dDT4JOFzQAulNySFwEpaFLw38jda6Td.Y/cOiRzDFu");

    if (userEntity == null)
      throw new UsernameNotFoundException("user not found");

    return assembler.buildUserFromUserEntity(userEntity);
  }
}

API works okay. but its not getting authenticated. Which means, even for the url which requires ROLE_ADMIN also works without any authentication. Any pointer towards fixing this will be helpful.