Johan Carlsson wrote: Why do you need different authentication logic? My client wants to do form-based authentication and have user data stored in a database so they can manage users without having to know anything about Zope. My idea is to create a folder object that can be given a method (AuthenticateMethod) to call when someone tries to traverse the folder's contents. AuthenticateMethod returns true or false. The folder itself knows nothing of the authentication scheme. That's AuthenticateMethod's concern. My partner and I agree that it doesn't make sense to throw away Zope's built-in security. But we don't like the hack required to logout a user with basic authentication. Also, we need to implement a record-level authorization scheme. The easiest, most cost-effective way to do this seems to be using a database to define user permissions just the way we want. I'd welcome any thoughts you or anyone else might have.