Re: Session state management

Nicola Cisternino Mon, 16 Nov 2020 06:36:23 -0800

Il 11/13/20 2:15 PM, Daniel Klco ha scritto:

Answers inline below.


On Thu, Nov 12, 2020 at 11:22 AM Nicola Cisternino <ncis...@cointa.it> wrote:

Hi all
We are newbies and come from world of web containers (which manage the
http session state) so, my question is:
in Sling what is the best (and standard) way to:
1) login via WS (Servlet) called by a JS frontend

Sling supports a pluggable authentication system[1] and includes
support for form based[2] authentication. You can invoke the
form-based authentication endpoints directly to login / out via JS.

2) extend (logged) user data with custom info (state management)

In Sling, each user has a Resource representation under /home/users.
You could create additional child resources underneath the user's home
resource to create profile data.

3) restore the session state in subsequent WS calls (without login
again...)

In form-based authentication, Sling uses cookies to keep the Session
ID / Sling authentication between requests so this should be
transparent. This works well for "sticky" load balancing, but will be
challenging if you cannot ensure the user lands on the same server
between requests.

I would also note, it's best practice to not have Sling be the system
of record for user data. Another SSO / user data system will ensure
consistency across multiple Sling instances. There's a LDAP support
bundle[3] from Jackrabbit Oak (the underlying repository
implementation) which can be installed into recent versions of Sling.
We also have a work in progress implementation of SAML support in the
whiteboard (sandbox project).

Thanks a lot.

--
Nicola Cisternino
CTO - Ergon Project Manager - IT Architect
Cointa s.r.l.
Tel. +39 080 9371015
ncis...@cointa.it
http://www.cointa.it

[1] - 
https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html
[2] - 
https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
[3] - https://jackrabbit.apache.org/oak/docs/security/authentication/ldap.html

Hi Daniel, and thank you for replay.
I will align with these best practices !

--
Nicola Cisternino
CTO - Ergon Project Manager - IT Architect
Cointa s.r.l.
Tel. +39 080 9371015
ncis...@cointa.it
http://www.cointa.it

Re: Session state management

Reply via email to