Spring security context aware login redirects
Most people tend to hide their Java Tomcat applications behind some kind of HTTP server.
Not only does this allow for a level of indirection, where we can have an additional layer of security / auditing / logging, but it also hides a lot of the internals associated with our Java based web application.
When we deploy a web application on Tomcat, we deploy a WAR file that exposes our application via a context root.
So we could have an application called myApp that runs on a Tomcat server on port 8080 like this
Obviously we don’t want to expose this prt number (8080) and we don’t want to have myApp as part of the URL. What we would rather have is something like this :
This can be achieved very easily using an Apache HTTP server. We simply need to configure a virtual host like this:
NameVirtualHost *:80 <VirtualHost *:80> ServerName acme.org ProxyPreserveHost On ProxyPass / http://mytomcat.acme.org:8088/myApp ProxyPassReverse / http://mytomcat.acme.org:8088/myApp </VirtualHost>
This is all very well, but application frameworks like Spring Security are not aware of this, and are very much web application context aware.
This means that when we define the following rule in Spring Security :
<form-login login-page='/login' default-target-url="/" authentication-failure-url="/login"/>
(telling Spring Security that it should redirect the user to /login when the user is not authenticated), that Spring will redirect the user to
This is an invalid URL, as it would map to
http://mytomcat.acme.org:8088/myApp/myApp. Spring Security is not aware of the fact that there is an Apache HTTP Server running.
There’s an easy way to fix this. By adding the following
RewriteRule we can strip the web application context from the URL when Spring Security does its redirect.
<VirtualHost *:80> ServerName acme.org RewriteEngine on RewriteRule ^/myApp/(.*)$ /$1 [R=301] ProxyPreserveHost On ProxyPass / http://mytomcat.acme.org:8088/myApp ProxyPassReverse / http://mytomcat.acme.org:8088/myApp </VirtualHost>