There exists a tomcat webapp which supplies webservices that are protected using Spring Security. The customer constitutes a call to some specific authenticationService method which we authored to authenticate them and make an authToken that is then accustomed to register all of them with Spring Security as so:

SecurityContextHolder.getContext().setAuthentication( authToken )

That's all fine and good. However, we have the necessity that authenticated customers have the ability to access static content that is offered by Apache (httpd) on a single server. It is possible to method to enforce the necessity the user continues to be authenticated (by Java/Spring) before they are able to download the static content? It appears like Apache and Tomcat would need to in some way share the SecurityContext.

OR - alternatively it appears like Tomcat could serve the static content itself because it already can access the SecurityContext. If that's the very best solution, could anybody give a pointer to the way we would get tomcat to achieve that (serve static content after checking the user continues to be authenticated).


Yes, Tomcat will have for everyone the static content.

mvc:resources could be useful here. After that's setup safeguard individuals mappings while using standard intercept-url configuration.