One of the main objects of CoWarp is a security handler. This handler is the component that tries to authenticate a user against a user database. So this is the connection between your web application and the user database. CoWarp comes already with some implementations for a security handler, like a pipeline based one that uses a usual Cocoon pipeline to authenticate a user. So a security handler is a helper component that you have to write in order to integrate you database.
You will never directly use a security handler. The handler is tied to your applications and CoWarp makes use of a security handler for login and logout operations of users.
Before you can use a security handler, you have to tell CoWarp about it. Technically, a security handler is a singleton component, so the configuration of a handler takes place in the cocoon.xconf.
Starting with Cocoon 2.2 it's possible to define components on a per sitemap base, so it's also possible to define the security handler in the xconf belonging to your application's sitemap.
Let's have a look at a simple security handler configuration:
... <component role="org.osoco.cowarp.SecurityHandler/shop-handler" class="com.something.MySecurityHandler"> ... Configuration for the handler - if required </component> ...
In the example above, a new security handler is configured. Each handler must have a unique name that is used as a reference to this handler. This uniqued identifier is defined in the role attribute. The role has to start with the prefix "org.osoco.cowarp.SecurityHandler/" follow by the name of the handler. Technically, a handler is a Java class (conforming to a specific interface). The class attribute in the configuration specifies this class. A single instance of this class is created and used in the application to authenticate a user.
There are situations where you might want to use the notion of an application, but don't have the need to identify single users. In this case you can simply use the anonymous security handler of CoWarp that automatically creates a new user object without the required of having a user database.
The application will not have a login form and the user is logged into the application as soon as he invokes the first page of the application.
Using the anonymous security handler is easy: just omit the security handler configuration on your application configuration!