Announcement Announcement Module
Collapse
No announcement yet.
spring security setup question do have to cluster Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • spring security setup question do have to cluster

    I appreciate any help. I sure hope someone can answer my question. I am having a hard time getting a clear answer. For a website do i have to cluster my tomcats because of the need to share sessions because of spring security.
    Based on what i have read, it sounds to me the answer is yes. But i am wondering do i have to? What are my options to pass the users authentication state between servers? Is clustering the only way?

    Thank you very much for your help.

  • #2
    I don't really understand. Why do you think you need to use clustering?

    Comment


    • #3
      Wow that was quick. thank you for your response. I am sorry for my ignorance. I don't understand how the following would work. I have a pool of machines running a website. A user is prompted to login and one of the machines authenticates the request as good by showing a login form. Now the same user sends a request for a resource and this request is handled by a different machine. How does the new machine know that the user has been authenticated by another machine. I was under the impression this was done by a session. And that session needs to be shared in some way to all the machines that could handle a request from this user.

      Comment


      • #4
        Yes, you're right. When user authenticates, the session object (HttpSession) is created and stored in memory of that concrete server. When user request goes to another server, application cannot find the session object (it is not in its memory), so user is again prompted to log in.

        Maybe you could try http://www.jasig.org/cas. I didn't use it, but I read that there is a spring support for this project.

        Best regards.

        Comment


        • #5
          This would apply to any stateful application which uses a session, so is not specific to Spring Security.

          Most sites would use a load-balancer which directs the user to the same server instance based on their session Id, but it depends on your requirements and the server technology you have in place.

          Comment


          • #6
            I totally agree with you, Luke, I was only trying to suggest one of the options and some examples can be found in Spring docs. I agree that CAS is independent project and it is not Spring Security specific.
            Of course, LB with sticky session is good solution and you've said it all.

            Comment


            • #7
              Originally posted by Abraxxxas View Post
              I totally agree with you, Luke, I was only trying to suggest one of the options and some examples can be found in Spring docs.
              I was actually replying to the original poster, rather than your response (which I only saw afterwards) - so I wasn't actually referring to CAS .

              Comment


              • #8
                Just as an FYI sticky sessions are usually combined with session replication (which can copy the session to another JVM) in the event that one of the JVM's crashes. Here is a link to the Tomcat documentation on clustering. You will find that the concepts are similar for other application servers.

                Comment

                Working...
                X