Spring security's issue with load balance

**zhangxin** · Feb 17th, 2011, 09:44 PM

Hi There,

I am using Spring security 2.04 more than 1 year not issues. but I encountered one issue after recently upgrade single application server to 2 app servers with load balance.

Issue description:
if the login request via LB's vip, then the default target URL is note 1 or note 2 rather than LB.
For example: request from http://LB/login.jsp--> suppose URL is http://LB/index.jsp after login
but now it is either http://note1:8080/index.jsp or http://note2:8080/index.jsp

My configration of spring security xml:
<form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp?error=true" />

Load balance is centOS 5x +apache 2x
note1&note2 servers are centOS 5.x +tomcat 6x

PS:if use absolute path in the spring security xml, it works. but I don't want to fix path.

Thank you in advance!!

**Rob Winch** · Feb 19th, 2011, 03:14 PM

The URL that Spring Security uses is based upon the values in the HttpServletRequest object. You need to ensure that Tomcat or the load balancer are configured correctly in order for the HttpServletRequest to return the correct values. A good place to start is the Tomcat Reverse Proxy HowTo. If you have futher questions, I would search the Tomcat documentation and/or ask on the Tomcat forums.

Regards,

**zhangxin** · Feb 20th, 2011, 08:18 PM

Originally Posted by rwinch

The URL that Spring Security uses is based upon the values in the HttpServletRequest object. You need to ensure that Tomcat or the load balancer are configured correctly in order for the HttpServletRequest to return the correct values. A good place to start is the Tomcat Reverse Proxy HowTo. If you have futher questions, I would search the Tomcat documentation and/or ask on the Tomcat forums.

Regards,

Hi rwinch,
thank you for your reply

But I think it may not caused by the reverse proxy. As all of applications (by struts or spring mvc) are working fines except spring security login /logout and access-denied-page functions.
Let me know what're your think

Regards

**Rob Winch** · Feb 20th, 2011, 09:55 PM

My guess is that you either are not doing absolute redirects within Struts2 / Spring MVC. While many browsers support relative redirects, performing relative redirects does not comply with the HTTP specification. The spec states that the Location header must be an absolute URI. That is why Spring Security uses an absolute URI.

If you look at the code in LoginUrlEntryPoint you will see the values from the HttpServletRequest object are being used to determine the absolute URL for the redirect. Your options are to configure Spring Security to use relative URL's (techcnically will probaby work for most browsers but breaks HTTP spec) or configure your proxy or tomcat to populate the HttpServletRequest object correctly. If you choose to do relative redirects, you can search the forums for how to do it. However, I would strongly encourge you to keep with absolute redirects. First, it will likely be easier to configure tomcat as there are numerous places that Spring Security does absolute redirects. Second, and more importantly, it fixes any other code that is doing absolute redirects.

PS I realized that I missed including the link for Tomcat last time, so here is the link.

Cheers,

**zhangxin** · Feb 21st, 2011, 03:39 AM

Hi Rob,

Yap you are right. I am reading the source code. All of related codes use RedirectUtils.sendRedirect method and default useRelativeContext is false.

Thank your suggestion, I reset the load balance setting which change it from http to ajp @ apache httpd.conf. all of the problem solved.
Not more issues with login/logout and access denied functions

Thank for your great help !!

Thread: Spring security's issue with load balance

Thread Tools

Display

Spring security's issue with load balance

Posting Permissions