Apache » Cocoon »

  Cocoon Authentication

Cocoon Authentication 1.0

Security Handlers

One of the main objects of Cocoon Auth is a security handler. This handler is the component that tries to authenticate a user against a user database. So this is the connection between your web application and the user database. Cocoon Auth comes already with some implementations for a security handler, like a pipeline based one that uses a usual Cocoon pipeline to authenticate a user. So a security handler is a helper component that you have to write in order to integrate your database.

You will never use your security handler directly. The handler you write is tied to your applications and Cocoon Auth will use it for login and logout operations of users.


Before you can use a security handler, you have to tell Cocoon Auth about it. Technically, a security handler is a singleton component, so the configuration of a handler takes place in the bean configurations

Let's have a look at a simple security handler configuration:

<bean name="org.apache.cocoon.auth.SecurityHandler/shop-handler"
    ... Configuration for the handler - if required

In the example above, a new security handler is configured. Each handler must have a unique name that is used as a reference to this handler. This uniqued identifier is defined in the name attribute. The name has to start with the prefix "org.apache.cocoon.auth.SecurityHandler/" follow by the name of the handler. Technically, a handler is a Java class (conforming to a specific interface). The class attribute in the configuration specifies this class. A single instance of this class is created and used in the application to authenticate a user.

Anonymous Security Handler

There are situations where you might want to use the notion of an application, but don't have the need to identify single users. In this case you can simply use the anonymous security handler of Cocoon Auth that automatically creates a new user object without the requirement of having a user database.

The application will not have a login form and the user is logged into the application as soon as he invokes the first page of the application.

Errors and Improvements? If you see any errors or potential improvements in this document please help us: View, Edit or comment on the latest development version (registration required).