Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to ensure "Always On" App Service starts automatically behind Azure AD

Tags:

java

spring-boot

azure-web-app-service

azure-active-directory

I'm running a Spring Boot web app on a Windows / Java 11 / Tomcat 9.0 App Service, with the following settings:

  • under the "Configuration" blade, "General Settings" tab
    • "Always On" is turned on
  • In the "Authentication / Authorization" blade
    • "App Service Authentication" is on
    • "Action to take when the request is not authenticated" is set to "Log in with Azure Active Directory"

When restarting the app (e.g. on deploy) the app does not start up or log anything until an authenticated user hits the application. This is a major problem as the web app also runs background processes polling for messages which then just queue up until someone visits.

Switching to Action to take when request is not authenticated to "Allow anonymous (no action)" resolves this issue, but isn't wanted for security reasons.

According to https://learn.microsoft.com/en-us/azure/app-service/configure-common#configure-general-settings:

With the Always On feature, the front end load balancer sends a request to the application root. This application endpoint of the App Service can't be configured.

Hitting the application root does start it up, so I'm assuming that that initial request to the application root is being redirected to Azure AD and therefore not hitting the Java code and starting the service.

How can I both configure the app to require login before even hitting the Java code, and ensure the app works "Always On"?

like image 544
David Giles Avatar asked Dec 06 '25 18:12

David Giles

1 Answers

It sounds like you are using the built in authentication blade of your web app. Is that correct?

If so, then you can avoid this issue as Easy Auth has a few "Advanced Application Settings" to account for this scenario if it's obstructing Always On.

Using "WEBSITE_WARMUP_PATH" will allow anonymous access to this particular path to account for Always On while all other paths will still require authentication. This setting is intended for use when an unauthenticated client, such as Azure Traffic Manager or Azure App Service's Always On feature, needs to access a specific path in the web app without requiring authentication. When set, any HTTP requests to the specified URL path will not be rejected by Easy Auth, regardless of the specified rules for unauthenticated clients.

More information: https://github.com/cgillum/easyauth/wiki/Advanced-Application-Settings

like image 133
Bryan Trach-MSFT Avatar answered Dec 08 '25 06:12

Bryan Trach-MSFT
Sign in to Comment

Related questions

Cannot configure spring boot security - always 403

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!