Answers inline below. On Thu, Nov 12, 2020 at 11:22 AM Nicola Cisternino <ncis...@cointa.it> wrote: > > Hi all > We are newbies and come from world of web containers (which manage the > http session state) so, my question is: > in Sling what is the best (and standard) way to: > 1) login via WS (Servlet) called by a JS frontend
Sling supports a pluggable authentication system[1] and includes support for form based[2] authentication. You can invoke the form-based authentication endpoints directly to login / out via JS. > 2) extend (logged) user data with custom info (state management) In Sling, each user has a Resource representation under /home/users. You could create additional child resources underneath the user's home resource to create profile data. > 3) restore the session state in subsequent WS calls (without login > again...) In form-based authentication, Sling uses cookies to keep the Session ID / Sling authentication between requests so this should be transparent. This works well for "sticky" load balancing, but will be challenging if you cannot ensure the user lands on the same server between requests. I would also note, it's best practice to not have Sling be the system of record for user data. Another SSO / user data system will ensure consistency across multiple Sling instances. There's a LDAP support bundle[3] from Jackrabbit Oak (the underlying repository implementation) which can be installed into recent versions of Sling. We also have a work in progress implementation of SAML support in the whiteboard (sandbox project). > Thanks a lot. > > -- > Nicola Cisternino > CTO - Ergon Project Manager - IT Architect > Cointa s.r.l. > Tel. +39 080 9371015 > ncis...@cointa.it > http://www.cointa.it [1] - https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html [2] - https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html [3] - https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html