The CMS now contains several AngularJs apps that can trigger a security handshake between site and CMS. In that case, the CMS authentication URL created by the CmsSecurityValve is not correct. It uses the Referer header as the base for the authentical URL, which works fine in Wicket-based calls in the CMS. For example, the Referer header is then always 'http://localhost:8080/cms', which will create an authentication URL like 'http://localhost:8080/cms/auth?destinationUrl=...'.
However, AngularJs apps will first get an index.html file that contains the 'root' of the app. Subsequent Ajax calls by the app that trigger the security handshake will then use a Referer header that looks like, for example, 'http://localhost:8080/cms/angular/someapp/index.html'. The CMS authentication URL will then become 'http://localhost:8080/cms/angular/someapp/index.html/auth?destinationUrl=...', which won't work since the auth filter is not hit.
Instead of relying on the Referer header, the CmsSecurityValve should compare the fartest request host with the known CMS locations of the current request, and use the CMS location that matches as the base for the authentication URL.