When you run your SITE web application as a non-ROOT web application (with a non-empty context path like '/site') behind an Apache HTTP Server, if you want to map root context path to your SITE web application path (e.g, '/**' -> '/site/**' and vice versa), then you should take a careful look at the reverse proxy and rewriting configurations.
Unlike HST-2 container itself, Spring Security Framework is very sensitive to the servlet context path. Therefore, you have to put additional HTTPd configurations for your spring-security enabled HST-2 site web application.
When you run your SITE web application as a non-ROOT web application behind an Apache HTTP Server, you will probably have configurations like the following example (Ref: Configure Apache httpd web server for site(s)):
<VirtualHost *:80>
ServerName www.example.com
ServerAlias *.example.com
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/site/
ProxyPassReverse / http://127.0.0.1:8080/site/
ProxyPassReverseCookiePath /site /
</VirtualHost>
The configuration shown above is not good enough with Spring Security Framework because Spring Security Framework always redirects to a login page URL with prepending it with the context path (e.g, '/site'). Then, the request is redirected to '/site/login.jsp' for instance, which actually results in http://127.0.0.1/site/site/login.jsp in the end. This could lead to an infinite redirction when you set the login page URL to '/login.jsp' as a context relative path in Spring Security Framework configuration.
Therefore, one solution would be to add a redirection rule to redirect /site/** to /* forcefully like the following example:
<VirtualHost *:80>
# -->8--SNIP -->8--
# Rewrite security requests by Spring Security, since Spring Security is context-aware
RewriteEngine on
RewriteRule ^/site/(.*)$ /$1 [R=301]
# -->8--SNIP -->8--
</VirtualHost>
In the example above, using the RewriteRule combined with a 301 redirection, you can secure your website, while still reverse-proxying your Spring Security enabled web application correctly.
Here is a full configuration example with the rewriting rule and reverse proxy configurations:
<VirtualHost *:80>
ServerName www.example.com
ServerAlias *.example.com
# Rewrite security requests by Spring Security, since Spring Security is context-aware
RewriteEngine on
RewriteRule ^/site/(.*)$ /$1 [R=301]
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/site/
ProxyPassReverse / http://127.0.0.1:8080/site/
ProxyPassReverseCookiePath /site /
</VirtualHost>
In the previous section, we used RewriteRule with mod_rewrite module in Apache HTTP Server. If you want to manage the rewriting rules at runtime or manage all the rewriting rules in a central location managed by Hippo Repository, then you can consider using URL Rewriter Plugin instead of RewriteRule backed by mod_rewrite module.