0

I am considering to migrate an application to Cloud Foundry since I'm tired of managing my server on my own. In my current application I use Spring Security and sessions to handle my user logins. I am however clueless on how to change my code so Cloud Foundry's multiple instances support my user logged in in a somehow stateless way (but using a token). I have looked into UAA, but it seems that this is for cloud foundry users, not users of my application.

Something OAUTH2-like seems to be a solution, but it seems I would have to rely on third parties if I want to do it in a developer-friendly way. The Cloud Foundry (or Pivotal Web Services in this case) documentation is also quite unclear on the matter.

When looking at the Spring Cloud documentation, I do find information on how to use OAUTH2 providers like Github to do things like Authentication, but it doesn't show how to actually use the Principal or how to handle stuff like Authorization (role-based).

I assume there are ways to run my own OAUTH2 service, and that would be the recommended solution, but again, there's quite a lack of documentation.

Can anyone give me some pointers?

Kristof
  • 1,684
  • 2
  • 23
  • 49

2 Answers2

1

A couple of key questions here are where is your user store currently? And what do you want to do with it moving forwards?

If you manage your own users and wish to continue doing so then, after migrating your users to the appropriate backing service and updating your app to be able to bind to that service using CFs VCAP_SERVICES env variable (also see spring cloud), our session affinity should allow you to push your app pretty much as-is. Otherwise a little further discussion is required.

Paul Warren
  • 2,411
  • 1
  • 15
  • 22
  • Current my users are just stored in my application's db. I'd prefer to have them in some kind of global service but of course want to be able to manage them from my application. For DB integrity and so they can make an account on my application. – Kristof Nov 26 '15 at 20:49
  • Apologies for delay in replying. Here are some pointers for you. In general if you use an external OAuth2 service like facebook or google with Spring's @EnableOauth2Sso as explained [here](http://stackoverflow.com/questions/29547671/rest-spring-own-oauth2-server-oauth2-providers-like-facebook-google-yahoo) I dont think you can offer user management. [Oauth.io](http://oauth.io/home) may be worth a look. May allow you to do both. Or if you want to standup your own [OAuth2 server](https://github.com/spring-guides/tut-spring-security-and-angular-js/tree/master/oauth2/authserver). – Paul Warren Jan 05 '16 at 11:26
  • Or you could deploy your own instance of the [UAA](https://github.com/cloudfoundry/uaa). There is also an SSO solution coming soon for Enterprise PWS customers (but it is not clear to me if you would be one of those or not? Assuming not). – Paul Warren Jan 06 '16 at 11:35
0

Does this help:

https://docs.cloudfoundry.org/devguide/deploy-apps/prepare-to-deploy.html#sessions

Cloud Foundry supports session affinity or sticky sessions for incoming HTTP requests to applications if a jsessionid cookie is used. If multiple instances of an application are running on Cloud Foundry, all requests from a given client will be routed to the same application instance. This allows application containers and frameworks to store session data specific to each user session.

Amit Kumar Gupta
  • 17,184
  • 7
  • 46
  • 64
  • Well, I simply want an easy, scalable way to handle authentication and authorization of users :-) – Kristof Nov 26 '15 at 08:09