Proxy pass fails with Spring secuity

Question

i have written set of rules to redirect

http://server.com/application/c/<UserIdValue>

type of url's to

http://localserver.com/application/?userid=<UserIdValue>

i wrote the following rules in apache httpd.conf

<Location  /application>
  ProxyPassReverse http://server.com/application/ 
  RewriteEngine On

  RewriteCond %{REQUEST_URI} /c/ [NC]
  RewriteRule application/c/(.*)$ http://localserver.com/application/?userid=$1 [QSA,P]

With this i can access login page and other pages in my application, but when i try to login/logout in application , it break into 'localserver' location .

the problem is with spring security j_spring_security_check, j_spring_security_logout. i dont have any clue what to do for this.

Spring security is taking precedence over proxy pass!!!!!

Answer 1

There are two things you will have to change to get this to work:

1. Change your ProxyPass / ProxyPassReverse lines to not end with a trailing /.
2. Tell your Application Server to set the contextURL correctly (ProxyPassReverse won't change URIs on forms for you). If you are using Tomcat, you do this by editing conf/server.xml, finding the tag that has the attribute protocol="HTTP/1.1" on it, and adding two new attributes: proxyHost="localserver.com" proxyPort="80" (you don't strictly need the proxyPort="80" if localserver.com and server.com are running on the same port).

The cause of problem 1 is that Spring Security doesn't normalise URIs, so if the proxy gives your application server a URI like http://server.com/application//j_spring_security_check, the Spring Security interceptor will match it against http://server.com/application/j_spring_security_check, note that it is different due to the extra slash, and refuse to intercept the request.