Serve static resources from Apache HTTPD but authorize with Spring Security?

[jgarrison]

I'm building (for my own education, partially reinventing the wheel), a photo album site, using Spring. The architecture calls for multiple users who will have access to only some albums, and possibly only some photos within albums.

In a naive implementation I would have Tomcat on port 80 and have Spring Security filter every request, including requests for the image files, which are static filesystem resources.

My actual deployment will have an Apache front-end, and I'd like to somehow be able to make Apache use the authentication that is being handled by Spring Security. That is, the user will initially login and be authenticated by Spring Security, but when a request comes in for an image file I want it served by Apache, but only if the user has the appropriate Spring Security role.

Is this possible? Do I need to set up, say, an OAuth provider and have both Apache and Spring Security defer to it? Or is there a better/simpler method?

[arthomps]

My actual deployment will have an Apache front-end, and I'd like to somehow be able to make Apache use the authentication that is being handled by Spring Security. That is, the user will initially login and be authenticated by Spring Security, but when a request comes in for an image file I want it served by Apache, but only if the user has the appropriate Spring Security role.

Is this possible?

Typically httpd is used in front of your servlet container. Meaning a request is processed by httpd before it hits the servlet container. If that's the case for your deployment, the answer to your question is no.

You could put your servlet container in front of httpd - but then I'm not sure you aren't gaining much if anything by using httpd at all.