Spring Security is redirecting to localhost on production server

Question

I have a grails application with the spring-security-core plugin installed. Everything works fine locally. I deployed to a staging server and everything worked fine. I deployed to our production server which is a mirror of our staging server. I can get to unprotected pages just fine. But when Spring Security kicks in and tries to do it's redirects it is redirecting to localhost instead of the grails.serverURL.

I'm going to turn up logging as high as possible and redeploy to see if I can make heads or tails of anything. I'll post my finding here. If anyone has experienced this before and knows what might be happening, please let me know. Also, if there are any configuration files that need to be seen I can provide those as well. Thanks.

Update I added the following to the bottom Config.groovy

grails.plugins.springsecurity.useSecurityEventListener = true

grails.plugins.springsecurity.onAuthorizationEvent = { e, appCtx ->
   println "here"
   println e
}

Locally, that closure gets hit 2 times when I try and access a protected page. Once for the initial url. Second time for the auth url. Deployed this to our production server and I get nothing.

Answer 1

The redirects are done in org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint.commence() method, so you could set a breakpoint there if you're able to borrow one of the prod servers for debugging.

It builds the redirect URL based on the login form uri (e.g. /login/auth) but it uses request.getServerName() so it should be the same as the original request. Note that grails.serverURL has no impact here since it builds the URL using the requested server name, port, context, etc.

It might be affected by putting Apache or a load balancer in front of your servlet container, although I've done both and it's worked fine.

Have you done any bean customization in resources.groovy that might affect this?