Posted by Tom Grahame on
URL: https://discuss.orbeon.com/Limiting-access-to-a-page-using-the-PFC-tp1577241p1579517.html

Well just for the sake of interest, I'll carry this on...

Security in our system is handled primarily by Java Struts applications that sit within the same context as Orbeon.
Using parameters passed to them via Orbeon Forms, they interrogate LDAP and Central Authentication services, writing values into the session.
It's then up to Orbeon Pipelines/Processors to check the session for appropriate values and inform the app behaviour/browser.

I understand this is all possible because the Struts apps and Orbeon apps are able to share the same session state, but the details of this are vague to me.

I find this topic interesting because Orbeon does not have a security model of it's own (and rightly so) but in order to use Orbeon in other projects, a collection of best practice solutions for such an important topic is nice to have.

Best wishes,

Tom