Camunda WebApp authentication/authorization with multiple instance

Our Camunda WebApp is embedded with spring boot application and runs behind Spring Cloud Gateway. WebApp has been scaled to multiple instances with application. We cannot set stick session at router or load balancer. We implement ContainerBasedAuthenticationProvider with OAuth2/JWT without using WebApp out of box basic authentication. So the JWT token passed to WebApp every request and Spring Security will do the Token verification so it becomes stateless. When request hitting https://{domain}/camunda/app/cockpit/default/, all other requests went fine with 200 response but one end point always gives 404 error


If WebApp runs in singles instance, it just works fine. Could the above endpoint always check session? Could we disable the check?

Another finding is that the above motioned request does not go through our ContainerBasedAuthenticationProvider.

I recall having sessions working with multiple instances alternatively by using Redis as a shared session store between the instances: Spring Session - Spring Boot

Spring Security creates session with cookie “SESSION”, but Camunda WebApp also create session with coolie JSESSIONID. We can use Redis as session store with Spring Boot and Spring Session, but it seems the Camuda session becomes an issue when WebApp scales to multiple instances without sticky session. How to make Camunda WebApp leverage session store to share session?

I see only SESSION cookie being sent to https://{domain}/camunda/api/admin/auth/user/default :flushed: