We have a Spring MVC app that uses Spring Security and has been in production for about a year and a half with no issues (running on JBoss 5.1). Recently, our IT department has made a change to JBoss's context.xml file, adding the following to the <context> element:
Since that change, we are still able to hit our login page and, after logging in, we are redirected to our main page. The problem seems to be that, after the main page is loaded, an AJAX call is made to the server to retrieve data and the response from that call is the HTML for the login page (as opposed to the data from our database). It seems as though the AJAX request is being made and the controller is trying to redirect back to the login page.
<SessionCookie secure="true" httpOnly="true"/>
I thought this might be related to the fact that the addition of the above <SessionCookie> line causes a jsessionid to be appended to the URLs so, I added a
attribute to the security-config.xml file...that didn't work, we were not able to log on at all.
I then removed all of the Spring Security-related lines out of our web.xml, bypassing the security entirely, and that worked...we were able to get to our main page, which made its AJAX call and returned the expected data.
So, any ideas as to how I can get Spring Security and JBoss's HttpOnly cookies to work together?
Thanks in advance for anyone's help!