Just curious, as I am trying to get authentication/authorization done right myself...
If you only use it for authentication, then why don't you just use the security provided by J2EE?
Bart.
I guess I wasn't too clear. Authorization is still performed in the web container. JAAS just isn't used to do it. Cocoon's authentication framework is also used to validate every request. Authorization is performed through a PermissionSelector. This allows end users to have the same request fulfilled differently depending on their permissions.
