Persisting Users to external database | Community
Skip to main content
K
Katrien1
Level 3
October 16, 2015
Solved

Persisting Users to external database

  • October 16, 2015
  • 12 replies
  • 3255 views

I want to persist /home/users to a location outside of the AEM application. I read I could connect AEM to an external database so I assume that's a way to do this. But in that case my entire JCR would be external, and I suspect this might have performance issues.

Hence my question. Would it be possible to only keep user data (password and username) outside of the JCR. I would like to still make use of CUG for protected pages. So in other words, I am looking for a solution that won't disrupt too much any OOB user functionality.

Apologies if this question has been asked before, but I can hardly search the forum at the moment, I get blank pages returned.

Many thanks, K

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Ove_Lindström

No, you don't have to persist the whole JCR. Connecting to a database is the same as connecting to a REST service. You just setup a data connection in a Java class, same as you do with any database connection, then read the /home/user info and push it into the database.

Then, if you change the user in the database, you still need to sync the information into /home/users. If you search for SAML integration or LDAP integration, that is basically what they are doing.

 

/Ove

12 replies

Show previous replies
O
Ove_Lindström
Level 6
October 16, 2015

It is not a big problem if you want to use an external authenticator and create your own connector. You can even store everything in the external system and have AEM go and ask for the information everytime (like a Kerberos authenticator).

However, storing the absolute minimum of information about the user in the JCR of your system would have the benefit of being able to utilize the built in functionalities that needs a Principal object that holds the information about user id, user name and group belongings. If you can create that in runtime from your Authentication Service, that is perfectly fine, but in most cases, just having the user "cached" in the JCR would be the best way to do it. No information that is not stored in the comments, profiles or any other type of user created content are stored there anyway so the Security department argument that "no information about the user may ever be stored in any place that is outside of our safe box" is, sorry about the french, pure bu...it. The trick here is to not talk about user authentication data but about the user as a content. The Principal that tells the system who you are and what you can do should be handled with care. The information from the Principal that is used to create content is public.

You get the difference??

/Ove

deepankard86318
deepankard86318
Level 2
October 7, 2018

Hi Katrien

I know it has been 3 years since this question, but were you able to use CUG features of AEM after storing the users outside JCR and authenticating user from external database?  I have a similar requirement, will appreciate if you could provide some information in this direction.

Thanks

Terms & ConditionsAccessibility statement

Loading footer...