1

I am using weblogic for deploying my spring boot application, and my same application is deployed on multiple nodes. For example the two node in which the application is deployed is 9001 and 9002. With basic security even if I am authenticated on the Node 9001 and trying to access the same URL on second node i.e on 9002, I am again getting redirected again to spring login page for authentication. I want that once I authenticate using username and password on any node. I need not to authenticate again, Even if I am requesting to any other node.

Any kind of clue or help will be appreciated. Thanks in advance.

The Security configuration file is

package com.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("test")
            .password("{noop}test")
            .authorities("USER");
    }
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/userdetail").authenticated()
            .anyRequest().permitAll()
            .and()
            .formLogin();
    }
}
Mohammad Mayar Alam
  • 55
  • 7
  • You need to use `spring-session`, so that session is stored in an external storage shared by all application servers. It can be a database, memcache or redis. By the way, how many nodes your application has, it should never be visible to clients. Application should be behind a load balancer. – Gaurav Mar 22 '22 at 17:49
  • Did you want to use weblogic to do the actual authentication use a pre-authentication filter in spring security to extract the weblogic authentication details? – httPants Mar 23 '22 at 01:25
  • 1
    Thanks a lot @Gaurav. It worked if I enabled redis http session. – Mohammad Mayar Alam Mar 23 '22 at 10:38

1 Answers1

1

In my case it worked for both node when I enabled RedisHttpSession. Below is the code which worked for me.

@Configuration
@EnableRedisHttpSession
public class RedisConfig {

@Bean
    public JedisConnectionFactory connectionFactory() {
        return new JedisConnectionFactory();
    }
}

also in pom.xml I needed to make two dependencies(For Spring boot).

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.session</groupId>
    <artifactId>spring-session-data-redis</artifactId>
</dependency>

You can also take reference about EnableRedisHttpSession from spring docs, and about spring session from

https://docs.spring.io/spring-session/docs/current/api/org/springframework/session/data/redis/config/annotation/web/http/EnableRedisHttpSession.html

https://www.baeldung.com/spring-session

Mohammad Mayar Alam
  • 55
  • 7