Really I was wondering if there was some declarative handler / hook for a login page or security in general. Kinda like a J2EE app you can declare the login form / page in the web.xml and then use j_security_check in a form etc etc.
If not using the web.xml approach, I believe in most J2EE baseed apps you'd setup a Listener and intercept the HTTP requests to do your own session / security checks.
Seems like this could be a common use case. Not sure that I have anything clever in mind. But might be good to create authN / AuthZ API interfaces and supply default impls using the spring security etc.
I'm too much of a noob at this point to enhance the ratpack closure. It could be interesting to declare something pattern based as protected and register a security module etc. Make user pages / form use j_security_check?