I've deployed Orbeon Forms side by side with another web application, lets call it myapp.war. My web application can send xhtml to Orbeon and save it to a datastore. I'm also using spring security for managing users. So in the web.xml I have the Spring Security filter declared first, then the Orbeon Forms filter. All this works fine.
If I deploy myapp in the root context (eg root.war) this breaks Spring Security when saving data. The reason is the save doesn't go via /myapp/orbeon/xforms-server-submit to be processed by Spring Security then the Orbeon forms filter but directly via /orbeon/xforms-server-submit because myapp has been deployed as root.
Does anyone know if there is a solution to this problem?
In fact the solution is really simple, I'd misunderstood exactly what was happening but by default servlet filters only apply to requests and not forwards so the Spring Security filter chain was not being applied when requests were forwarded from Orbeon and therefore the app was unauthenticated. Just add a FORWARD dispatcher to the xml configuration:
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
Hope this proves useful to someone.