I am having a Spring MVC app which uses Spring Security for login. I am using Apache Webserver as Proxy and Tomcat. Below is my /etc/apache2/sites-enabled/example.com.conf file:
ServerAdmin [email protected]
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/public_html
ProxyPreserveHost On
ProxyRequests off
ProxyPass /myapp/j_spring_security_check http://XX.YY.ZZ.WW:8080/myapp/j_spring_security_check
ProxyPassReverse /myapp/j_spring_security_check http://XX.YY.ZZ.WW:8080/myapp/j_spring_security_check
ProxyPass /myapp http://XX.YY.ZZ.WW:8080/myapp
ProxyPassReverse /myapp http://XX.YY.ZZ.WW:8080/myapp
My problem is now I have to access my site as:
www.example.com/myapp
where as I want to access it as
www.example.com
I tried playing with it but then the login didn't work properly. How should I set the ProxyPass & ProxyPassReverse for this?
I've been struggling with this same problem for a few days and I might have cracked it. I'm new to Spring Security so don't take this as gospel! Others might object... I'm using Apache 2.4 (on OS X) and Spring Security 4.1.1.
Everything ran perfectly well running locally, but whenever it was deployed to run behind a reverse proxy I got 404 errors every time I logged in. After much head scratching and Googling, here's what I found:
(As I don't have enough reputation points to post more that 2 links I've had to use a space after 'http://' for the URLs!)
Suppose Apache and Tomcat are running on the same host (localhost) with Apache configured to proxy requests from www.example.com to our web app deployed under the context path '/webapp'
External client requests protected URL: http:// www.example.com/secret
Apache proxies this to http:// localhost:8080/webapp/secret
One of Spring's security filters intervenes and responds with a redirect to /login
Browser fetches URL
Apache proxies this to http:// localhost:8080/webapp/login
Spring responds with its default login page
The interesting thing to note at this point is that the login form generated by Spring prefixes the forms action element with the context path (i.e. action="/webapp/login"). When you then click the submit button, a POST is performed to the URL /webapp/login
We now have a problem. When Apache proxies this to the backend server, the resulting URL will be http:// localhost/webapp/webapp/login. You can see this in the catalina.out log showing there is no handler that can handle the request as the context path is now appearing twice in the URL.
The problem here is that the ProxyPass and ProxyReversePass directives (mod_proxy module) only modifies the HTTP Location header, the URL is left untouched. What is needed is to strip the context path from the URL before it reaches the proxy which will add it back on. Apache's RewriteRule seems to do the trick:
Although this solved the 404 errors and I could see Apache was now proxying to the correct URL, I was constantly getting the login page re-displayed every time I logged in. This next bit of config seems to resolve this:
I believe this may be because the proxying was causing the domain and path in the cookie to be set incorrectly, but I have to read up some more about that!
I hope this helps someone else out there, and people with more expertise than me in this area can comment on whether this is a fair solution...
You could define virtualhosts. Something like this should do, I think:
I run a setup like this with Apache 2.4 here
This is possible if you define your own Filter & HttpServletRequestWrapper, with the Filter inserted before the Spring Security filter. By overriding the "getContextPath" to return the empty string, you can then set up an nginx/apache reverse proxy. (the basic concept of this comes from: http://www.lacerta.be/d7/content/keeping-real-user-ip-java-web-apps-behind-nginx-proxy, but that doesn't cover the context path)
In your dependency management software, add Servlet API:
(this of course assumes that you'll be running in a Tomcat/J2EE container).
And then, within your project or possibly a shared library, define two classes:
And then the wrapper:
And then add the correct filter before the spring filter (web.xml)
So then in the NGINX server block: