Reputation: 361
Should multiple Spring Boot App instances running behind a load balancer work with spring CAS user authentication?
I have a Spring Boot Application I am working on that uses CAS authentication. I have CAS working fine however once I start more than 1 copy of the application behind a load balancer the app fails to authenticate.
The app takes the user off to CAS and returns to the home page where once authenticated the user should see the main interface. But instead when it returns from CAS the spring security authenticated check still thinks the user isn't authenticated.
If I reduce my instances down to 1 it starts working fine again.
I am running this app behind an F5 load balancer so I am trying to figure out if there is some missing configuration on the F5 or if there is something I need to do in my app to deal with the switch from one server to another etc. I assume this is causing the issue but I want to keep my app stateless and not rely on making the F5 sticky for a given user. Actually I even tried setting the feature on the F5 but still get the same behavior so not sure what is really happening once more than 1 app instance is running.
My understanding was that this should just work because I have server.use-forward-headers=true configured.
Am I missing some other CAS, Spring Boot Server, or Spring Boot Security settings that are necessary to make this work?
Should this be working with CAS authentication.
I am using Spring Book 2.0.4.RELEASE I am using spring-security-cas-client 3.0.8.RELEASE
Upvotes: 2
Views: 1918
Answers (3)
Reputation: 361
I found the solution to this issue. It seems the Spring Boot Security defaults to a session based security so you need to implement your own Stateless Security to get this working in a stateless manner.
Thanks to this blog post and some additional help from the blog post author I was able to get this working perfectly in Spring Boot 2.x
Checkout the post, it's interesting and works perfectly.
https://www.dedicatedcode.com/posts/stateless-authentication/
Thanks to others who provide answers that sent me in the correct direction to find this solution.
Upvotes: 1
Reputation: 4786
If you are using OAuth / SAML / Delegated Authentication, then you might need to set your F5 load balancer (or any load balancer) to enable "session persistence" in order for CAS server to function normally.
Upvotes: 0
Reputation: 231
I believe the problem is with multiple cas server cluster. When your spring boot application is looking for a valid ticket it fails to authenticate. CAS has a support for these kind of situation try reading the link below
https://apereo.github.io/cas/5.2.x/installation/Hazelcast-Ticket-Registry.html
If the above solution works you have to add a dependency for the support and update your property files Hope this helps
Upvotes: 0
Related Questions
- Can mutual auth and x509 co exist in same spring boot application?
- Spring boot - holding authenticated user through many server instances
- Spring Boot Security CAS Authentication Integration
- Is it possible to authenticate the user for applications on multiple domains or IP addresses with CAS server?
- Authenticate spring web application through CAS server
- Concurrent session control with Spring Security + CAS SSO in multi nodes setup?
- SSO and REST Api Authentication on multiple Application
- Authentication and Session Management in distributed spring application
- Spring Security: authorize on two or more web applications simultaneously
- Spring Security and CAS