The above picture summarize the flow when a user try to access to the CMS through path /dbprism/ldoc path (CMS directory with write access):

1. An HTTP request is sent for the url /dbprism/ldoc/Home.html, for example.
2. Cocoon process this request and execute, using DBPrism Generator, an stored Procedure for getting the page content.
3. DBPrism Servlet Engine has a security setting for this url using per-package authorization mode. It means that, for each package executed into the database DBPrism will try to execute first a function Authorize which will return true or false if the username/password sent by the browser in the header Authorization is a valid CMS user. The CMS function authorize calls to the procedure cms_ctx.set_user_ctx which validates the username and password against the VPD information and set the correct context for the connection.
4. If no Authorization header was sent, a response with the HTTP status Not authorized is returned. A this point the browser will ask to the user for the username and password for the CMS.
5. A valid username and pasword is sent again with the original request.
6. With this new username/password information DBPrism will execute again the function authorize.
7. If a valid username/password was sent, the Code of DBPrism CMS returns the content of pages /Home.html
8. The XML content of the pages is sent back to Cocoon to assamble and transform to html format. The html page is sent finally to the browser.