英文:
How to ensure "Always On" App Service starts automatically behind Azure AD
问题
我正在 Windows 操作系统上运行一个使用 Java 11 和 Tomcat 9.0 的 Spring Boot Web 应用程序,具有以下设置:
- 在“配置”资源下,“常规设置”选项卡中
- 打开了“始终运行”
- 在“身份验证/授权”资源下
- 启用了“应用服务身份验证”
- 将“请求未经身份验证时的操作”设置为“使用 Azure Active Directory 登录”
在重新启动应用程序(例如在部署时)时,该应用程序在未经身份验证的用户访问之前既不会启动也不会记录任何内容。这是一个重大问题,因为 Web 应用程序还会运行轮询消息的后台进程,然后这些消息只会在有人访问时才被处理。
将“请求未经身份验证时的操作”切换为“允许匿名(无操作)”可解决此问题,但出于安全原因,这并不是所期望的。
根据 https://learn.microsoft.com/en-us/azure/app-service/configure-common#configure-general-settings:
使用“始终运行”功能,前端负载均衡器会向应用程序根目录发送请求。无法配置此应用服务的应用程序端点。
访问应用程序根目录确实会启动它,因此我假设初始请求被重定向到了 Azure AD,因此没有触及 Java 代码并启动服务。
如何在甚至触及 Java 代码之前配置应用程序需要登录,并确保应用程序始终运行?
英文:
I'm running a Spring Boot web app on a Windows / Java 11 / Tomcat 9.0 App Service, with the following settings:
- under the "Configuration" blade, "General Settings" tab
- "Always On" is turned on
- In the "Authentication / Authorization" blade
- "App Service Authentication" is on
- "Action to take when the request is not authenticated" is set to "Log in with Azure Active Directory"
When restarting the app (e.g. on deploy) the app does not start up or log anything until an authenticated user hits the application. This is a major problem as the web app also runs background processes polling for messages which then just queue up until someone visits.
Switching to Action to take when request is not authenticated to "Allow anonymous (no action)" resolves this issue, but isn't wanted for security reasons.
According to https://learn.microsoft.com/en-us/azure/app-service/configure-common#configure-general-settings:
> With the Always On feature, the front end load balancer sends a request to the application root. This application endpoint of the App Service can't be configured.
Hitting the application root does start it up, so I'm assuming that that initial request to the application root is being redirected to Azure AD and therefore not hitting the Java code and starting the service.
How can I both configure the app to require login before even hitting the Java code, and ensure the app works "Always On"?
答案1
得分: 1
听起来您正在使用您的 Web 应用程序中的内置身份验证界面。这是否正确?
如果是这样的话,您可以避免这个问题,因为 Easy Auth 有一些“高级应用设置”可以解决这种情况,如果它阻碍了 Always On。
使用“WEBSITE_WARMUP_PATH”将允许匿名访问这个特定路径,以解决 Always On 的问题,而所有其他路径仍将需要身份验证。
此设置适用于在无需身份验证的情况下,需要访问 Web 应用程序中特定路径的非经过身份验证的客户端,例如 Azure Traffic Manager 或 Azure App Service 的 Always On 功能。设置后,对指定的 URL 路径的任何 HTTP 请求都将不会被 Easy Auth 拒绝,而不管针对未经身份验证的客户端的指定规则如何。
更多信息:https://github.com/cgillum/easyauth/wiki/Advanced-Application-Settings
英文:
It sounds like you are using the built in authentication blade of your web app. Is that correct?
If so, then you can avoid this issue as Easy Auth has a few "Advanced Application Settings" to account for this scenario if it's obstructing Always On.
Using "WEBSITE_WARMUP_PATH" will allow anonymous access to this particular path to account for Always On while all other paths will still require authentication.
This setting is intended for use when an unauthenticated client, such as Azure Traffic Manager or Azure App Service's Always On feature, needs to access a specific path in the web app without requiring authentication. When set, any HTTP requests to the specified URL path will not be rejected by Easy Auth, regardless of the specified rules for unauthenticated clients.
More information: https://github.com/cgillum/easyauth/wiki/Advanced-Application-Settings
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论