Serve static resources from Apache HTTPD but authorize with Spring Security?
I'm building (for my own education, partially reinventing the wheel), a photo album site, using Spring. The architecture calls for multiple users who will have access to only some albums, and possibly only some photos within albums.
In a naive implementation I would have Tomcat on port 80 and have Spring Security filter every request, including requests for the image files, which are static filesystem resources.
My actual deployment will have an Apache front-end, and I'd like to somehow be able to make Apache use the authentication that is being handled by Spring Security. That is, the user will initially login and be authenticated by Spring Security, but when a request comes in for an image file I want it served by Apache, but only if the user has the appropriate Spring Security role.
Is this possible? Do I need to set up, say, an OAuth provider and have both Apache and Spring Security defer to it? Or is there a better/simpler method?