Hands off my content(-type), Apache!

Just a quick note for anyone using Apache as a proxy (commonly with Tomcat, Jetty or some other Java application server behind): If your application does not set the Content-Type header, Apache will apply one for you. Which one, you ask? Well, that depends on the extension of the URL your content is served from. If that URL is http://localhost:8080/app/spring_security_login, you get...



Workaround: Include 'DefaultType None' in your Apache config (works well in a VirtualHost.

The fix, of course, is to set the content type. I've submitted this to the Spring Security team; hopefully it'll make it into 2.0.1.