Example : a document has url : $ZOPE/.../document_manager/document_37.
I wish the displayed url looks like : $ZOPE/.../document_manager?document=k2316fge54dsgb51v3vsdv4
I can't imagine *why* you think that would be more secure. My guess would be that this is *less* secure, if anything, since document_manager will need to have the largest possible permission set to work correctly. It would become a single point of failure with greater security implications than the failure of any one piece it manages. But if you really must, it's easy enough. Make document_manager a Python script that has one giant mapping of object ids and "encoded" ids. For a request to the "encrypted" id, return the contents of a call to the object specified in your mapping. But I think you're working hard to reinvent a wheel here, and I'm not convinced your proposed wheel is even round. :-) You'll probably be better off spending this time becoming familiar with Zope's existing security model. HTH, Dylan