KB-1284 Appian sets HTTP Strict Transport Security flag unexpectedly after configuring Spring Security

Nick Vigilante — Tue, 07 Mar 2017 16:01:38 GMT

Current Revision posted to Appian Knowledge Base by Nick Vigilante on 3/7/2017 4:01:38 PM

Symptoms

After configuring custom Spring Security, Appian introduces the HTTP Strict Transport Security flag in the response header. This causes all requests to other applications, running the same hostname to use HTTPS. This is not a problem if the other applications are configured to use HTTPS. However, if the other applications are configured to use HTTP instead of HTTPS, then this flag will prevent the user from accessing these sites.

Cause

This is most likely caused due incorrect merging of Spring Security files in Appian. Since Appian 7.11, two Spring Security files disable the Spring Security Header:

<APPIAN_HOME>/ear/suite.ear/web.war/WEB-INF/conf/security/spring-security-05-web-api.xml Line 41: <sec:headers disabled="true"/> Line 61: <sec:headers disabled="true"/>
<APPIAN_HOME>/ear/suite.ear/web.war/WEB-INF/conf/security/spring-security-07-portal.xml
Line 35: <sec:headers disabled="true"/>

The absence of these lines may be causing the issue.

Action

Compare the out of the box Spring Security files and add the missing lines to respective override files.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: March 2017

Tags: administration, authentication