After configuring custom Spring Security, Appian introduces the HTTP Strict Transport Security flag in the response header. This causes all requests to other applications, running the same hostname to use HTTPS. This is not a problem if the other applications are configured to use HTTPS. However, if the other applications are configured to use HTTP instead of HTTPS, then this flag will prevent the user from accessing these sites.
This is most likely caused due incorrect merging of Spring Security files in Appian. Since Appian 7.11, two Spring Security files disable the Spring Security Header:
<APPIAN_HOME>/ear/suite.ear/web.war/WEB-INF/conf/security/spring-security-05-web-api.xml
<sec:headers disabled="true"/>
<APPIAN_HOME>/ear/suite.ear/web.war/WEB-INF/conf/security/spring-security-07-portal.xml
The absence of these lines may be causing the issue.
Compare the out of the box Spring Security files and add the missing lines to respective override files.
This article applies to Appian 7.11 and later.
Last Reviewed: March 2017