How should I secure my webapp written using Wicket, Spring, and JPA?

I don't know if you saw this blog post so I'm adding it here as reference and I'll just quote the end:

Update 2009/03/12: those interested in securing Wicket applications should also be aware that there is an alternative to Wicket-Security, called wicket-auth-roles. This thread will give you a good overview of the status of the two frameworks. Integrating wicket-auth-roles with Spring Security is covered here.
One compelling feature of wicket-auth-roles is the ability to configure authorizations with Java annotations. I find it somehow more elegant than a centralized configuration file. There is an example here.

Based on the information above and the one your provided, and because I prefer annotations too, I'd go for Wicket-Auth-Roles with Spring Security (i.e. guide 2). Extending AuthenticatedWebApplication shouldn't be a problem as this class extends WebApplication. And pulling your application object out of spring context using SpringWebApplicationFactory should also just work.

And if your concerns are really big, this would be pretty easy and fast to confirm with a test IMO :)

We've been using Wicket-security for years now and we have used it together with jaas files and with annotatations. Defining jaas files is quite a hassle and maintaining them is near impossible...

With annotations one has to define actions and principals for every page. This is timeconsuming however it does allow you to let the user define roles and authorizations dynamically. It is also possible to test all the principals using the WicketTester.

Each of the 3 packages has it's (dis)advantages, it's a matter of taste and it also depends on the size of the application.