Are there issues with using Spring Security's HttpSessionSecurityContextRepository on CloudFoundry?

Question

I understand that Spring Security's HttpSessionSecurityContextRepository makes use of HttpSession.

Furthermore, I have read that PaaS such as CloudFoundry try to avoid session replication for the purpose of scalability.

I intend to deploy an application to the CloudFoundry PaaS.

Are there issues with using HttpSessionSecurityContextRepository on CF?

Answer 1

CloudFoundry documentation simply says that HTTP Sessions are not replicated across instances by default. All this means is that applications deployed on multiple instances will be unable to use any sort of HTTP session clustering by default. HTTP sessions become sticky, that is, all HTTP requests in the same session will be routed to the instance on which the session for the request resides. In case an instance fails, users who had active session on that instance will be migrated to other instances but they will lose their session information, which will mean they will have to login again.

This does not mean it is unsafe to use Spring Security in such an environment. The semantics with Spring Security will be the same as those without it. Once a user has logged in, they will continue to access the CloudFoundry instance on which their session was created. If that instance crashed, they will be automatically ported to another instance but will have to login again.

If the default set up (without session replication) is a concern, it is certainly possible to share sessions across instances. CloudFoundry forums list two ways of achieving this - via Redis and using JDBC. It is also possible to implement your own solution using one of the CloudFoundry services.