Hi Reinhard, Is this a design choice? As I try to read the general idea, Cocoon 3 is to be minimal and would have only a dependency on the Spring framework. Somebody considering to build a web application with cocoon that needs authentication would have to code the page redirection mechanism herself? Assuming that a JAAS/LDAP component is plugged in via Sping, the logic of For a realm filtered by url characteristics (say 'secure/*.*') 'is there a HttpSession which has a remote user? yes -> OK, through with processing, based upon role/rights no -> send to login page, or 'forbidden' page, whereby the login page captures authentication tokes from user and feeds that to the authentication component (which itself is an indepent component.
Not that it is very difficult to code such behaviour for an individual application, but to enable this from within the sitemap looks perfecly sound within the cocoon philosophy, thereby avoiding to insert permission checks into the data access layer. What do you think? Kind regards, Jos Snellings On Fri, 2009-08-14 at 18:01 +0200, Reinhard Pötz wrote: > Jos Snellings wrote: > > Dear, > > > > In cocoon 3 I do not find back the "auth" mechanism > > (org.apache.cocoon.auth), which comes in very handy to secure a range of > > urls. > > In addition, I could not find the notion of "application". > > > > Will the 'old' construct to build a session hold in cocoon-3? > > Is the mechanism available in spite of my unability to find it at first > > glance? > > Hi Jos, > > unfortunately there is no equivalent of the C2-Auth block in Cocoon 3 > available. >