Just a quick note for anyone using Apache as a proxy (commonly with Tomcat, Jetty or some other Java application server behind): If your application does not set the Content-Type header, Apache will apply one for you. Which one, you ask? Well, that depends on the
extension of the URL your content is served from. If that URL is
http://localhost:8080/app/spring_security_login
, you get...
text/plain
Bah.
Workaround: Include '
DefaultType None
' in your Apache config (works well in a
VirtualHost
.
The fix, of course, is to set the content type. I've
submitted this to the Spring Security team; hopefully it'll make it into 2.0.1.