If I am using Spring Security and application server clustering and have the http session being replicated, is it possible to have an authenticated user automatically fail-over to another node in the cluster and still be logged in? Would it be better to use a distributed cache instead of replicating the session across the cluster?
Yes. Spring Security's Security Context is stored as a value inside your session. So if your session is replicated, the security context will be too, so it won't matter which worker your authenticated user hits.
Of course, session replication is not instantaneous, so its possible that if your user authenticated just before the server went down, the failover server might not have a chance to pick up the replicated context. But if they authenticated, and went on to do a bunch of stuff, and then the server failed, the security context would have been replicated already, and the user's session should pickup where it left off, on the new failover server.
This will be slightly different under tomcat vs jboss vs weblogic, so you really need to test to make sure your particular use case is covered.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With