We are using Camunda spring boot in a service inside a docker swarm.
We are doing some testing for camunda scalability in this environment. We found that the engine has no problem having multiple instances inside the cluster, but the webapp has some issues, possibly with session management, the camunda webb application is asking for credentials continuously.
Do you have any clue of what is going on with the camunda webapp? or some posible solutions for that behaviour? Are there a way to keep the session in the cluster with multiple services of camunda? or the only solution is try to separate camunda webapp from the engine and REST api.
Sounds like you’re heading towards a stateless, rest-oriented architecture.
Not sure the Camunda web-app parts are geared for that sort of configuration out-of-the-box. Hence, the credentials getting challenged per each time a request flows back into the Camunda stack. This means that there’s some expectation of ‘sticky’ session behavior with regards to logged in status.
Given the ‘swarm’ configuration, session information is getting lost because you don’t have a session-affinity (sticky session) setup for the cluster.
It’s been a little while since I’ve dug into current Camunda sources… recommend you do so. But, from my experience, you might want to take a look at a configuration implementing OpenID Connect (OIDC). This should offload authN/authZ requirements and prevent the repeating login challenge.
RedHat’s SSO solution, aka KeyCloak, is open-source and provides excellent documentation/example code.
Yes, we expected some sort of sticky session behavior and after experience the login challenge continuosly the first idea we had is to use just for the webapp some sort of HTTP proxy like Traefik and it worked but it feels like it wasn’t the perfect solution. I was hoping there was something I missed before trying to dig into Camunda sources… I will take a look to the alternatives you commented but it seems that we will have to start working with camunda source in a future if we want to avoid weird workarounds.