Hi Jan, I think, the firewall and acl part is for connecting authentication with authorization. So the authentication process has to work without using this, or? And why do I have to specify the controller I want to protect? Why there is no whitelist approach, so everything is blocked until I grant access? Best, Pascal