Search code examples
tomcatspring-securitymod-proxyajp

Spring Security and AJP proxy


I use Spring Security and Apache proxy for a web app. When using standard mod_proxy everything is OK, but after switching to AJP proxy there appears a problem with Spring security redirects.

Apache config:

<VirtualHost *:80>
  ServerName domain.com

  ProxyPass / ajp://localhost:8009/Context/
  ProxyPassReverse / ajp://localhost:8009/Context/
</VirtualHost>

When I call http://domain.com/login I see a login form.

When I submit the form I go to http://domain.com/auth and get authenticated.

Then Spring Security should redirect to http://domain.com/index but it redirects instead to http://domain.com/Context/index

How can I get rid of that context path? Why Spring Security adds it everywhere?

There was a similar question on Spring Security site but no one answered it:

http://forum.springsource.org/showthread.php?95141-Why-is-spring-security-including-the-context-path

P.S. It seems strange that Google doesn't find anything more related to this problem. Am I the only one who uses Spring Security + AJP? Maybe it's a wrong pattern?

Solution:

<VirtualHost *:80>
  ServerName domain.com

  RewriteEngine on
  RewriteRule ^/Context/(.*)$ /$1 [R=301]

  ProxyPass / ajp://localhost:8009/Context/
  ProxyPassReverse / ajp://localhost:8009/Context/
</VirtualHost>

Solution

  • Spring Security is web application context aware, meaning that its redirects will always be based upon the current web application context. This is by design since your app server may be running several distinct web applications which should not interfere with each other.

    Do you run only this application on your server and have the possibility to deploy it as ROOT application on Tomcat (e. g. putting it into webapps/ROOT/)? This would eliminate your context prefix and solve your problem.

    Another option may be rewriting the redirect URL on the app server before it is passed to the client, e. g. with an outbound-rule from org.tuckey's great URLRewriteFilter (like mod_rewrite, but for Java EE web apps). Of course, you would have to take care of proper filter ordering in your web.xml since Spring Security also uses filters for its logic.