I'm all for a better authentication strategy but if this doesn't work with our way of doing stuff, well, it's not going to help anybody.
I'm not going to repeat here all the arguments that Gianugo has put forward in his reply, but just say that I agree 100% with what he said.
It's certainly true that J2EE sucks in many respects, but since we're still using the Servlet spec that's part of J2EE, we should adhere to it for what it's worth. I hope that one day, Cocoon won't be a Servlet anymore and serve HTTP requests by itself, providing authentication and authorization to blocks in a transparent, hot-deployable way. On that day, blocks won't try do do AAA by themselves, each one in a different way, but will delegate it to the Cocoon Kernel, just like today they should delegate it to the Servlet container.
I also agree with him that we could ship Linotype without authentication. We could also ship with a commented-out <security-constraint> section in web.xml (plus a file-based realm for Jetty) and put a prominent notice in the homepage that if people want to enable authentication, they just have to uncomment it, and possibly setup a realm in their container of choice, if not using the provided Jetty.
There is no need to use a standard markup for something that nobody is ever going to see. I'm happy to move to a more cocoon oriented namespace and move away from my own, but I don't see the need for use a markup that was invented for feeds and not as a storage markup.
Atom and RSS are more or less isomorphic to the current markup, so it's not really important to switch right now. I'll try to fix what's broken with what we have and we'll decide later.
Ugo
