HST Spring Security Support

Introduction

When you run your SITE web application as a non-ROOT web application (with a non-empty context path like '/site') behind an Apache HTTP Server, if you want to map root context path to your SITE web application path (e.g, '/**' -> '/site/**' and vice versa), then you should take a careful look at the reverse proxy and rewriting configurations.

Unlike HST-2 container itself, Spring Security Framework is very sensitive to the servlet context path. Therefore, you have to put additional HTTPd configurations for your spring-security enabled HST-2 site web application.

Configuring Rewriting and Reverse Proxy

When you run your SITE web application as a non-ROOT web application behind an Apache HTTP Server, you will probably have configurations like the following example (Ref: Configure Apache httpd web server for site(s)):

<VirtualHost  *:80>
  ServerName www.example.com
  ServerAlias *.example.com

  ProxyPreserveHost  On
  ProxyPass  / http://127.0.0.1:8080/site/
  ProxyPassReverse  / http://127.0.0.1:8080/site/
  ProxyPassReverseCookiePath  /site /
</VirtualHost>
        

The configuration shown above is not good enough with Spring Security Framework because Spring Security Framework always redirects to a login page URL with prepending it with the context path (e.g, '/site'). Then, the request is redirected to '/site/login.jsp' for instance, which actually results in http://127.0.0.1/site/site/login.jsp in the end. This could lead to an infinite redirction when you set the login page URL to '/login.jsp' as a context relative path in Spring Security Framework configuration.

Therefore, one solution would be to add a redirection rule to redirect /site/** to /* forcefully like the following example:

<VirtualHost  *:80>

  # -->8--SNIP -->8--

  # Rewrite security requests by Spring Security, since Spring Security is context-aware
  RewriteEngine on
  RewriteRule ^/site/(.*)$ /$1 [R=301]

  # -->8--SNIP -->8--

</VirtualHost>
        

In the example above, using the RewriteRule combined with a 301 redirection, you can secure your website, while still reverse-proxying your Spring Security enabled web application correctly.

Here is a full configuration example with the rewriting rule and reverse proxy configurations:

<VirtualHost  *:80>
  ServerName www.example.com
  ServerAlias *.example.com

  # Rewrite security requests by Spring Security, since Spring Security is context-aware
  RewriteEngine on
  RewriteRule ^/site/(.*)$ /$1 [R=301]

  ProxyPreserveHost  On
  ProxyPass  / http://127.0.0.1:8080/site/
  ProxyPassReverse  / http://127.0.0.1:8080/site/
  ProxyPassReverseCookiePath  /site /
</VirtualHost>
        

Alternative to Apache HTTPd Rewriting Rules Configuration

In the previous section, we used RewriteRule with mod_rewrite module in Apache HTTP Server. If you want to manage the rewriting rules at runtime or manage all the rewriting rules in a central location managed by Hippo Repository, then you can consider using URL Rewriter Plugin instead of RewriteRule backed by mod_rewrite module.