You can simply create a class that extends from AbstractSecurityWebApplicationInitializer and it will automatically create/initialize the security filter chain for you. No code needed:
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {}
Also, if you're only just creating a single dispatcher servlet, you could consider simply extending your WebAppIntializer class from AbstractAnnotationConfigDispatcherServletInitializer:
public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[]{WebSecurityConfig.class, App.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class[]{WebConfig.class};
}
@Override
protected String[] getServletMappings() {
return new String[]{
"/"
};
}