Problem solved. I'm just returning the URL to the PDF file, no controller. Put in a bypass for ROLE_ANONYMOUS for /**/*.pdf
That, and I have the Tomcat host address in a properties file now. Never trust getRemoteHost()... it doesn't always return a true address for the Tomcat host.
