In a pure AJAX environment, how is true application access control handled?

For example, if I have a financial application and 5 out of my 20 named CAL users are allowed to access it, how is that configured for an AJAX application?

Conceptually it sounds like Publisher would allow control for authority to open an application: "QlikView Server can make use of the Directory Service Connector (DSC) installed with QlikView Publisher (hence also a third-party Directory Service Provider) to resolve group memberships for authenticated users. With the use of extended authorization it also becomes possible to control access to a document for a specified user or user group to specified time intervals."

Does this still apply to AJAX apps?

Feedback I have so far suggests that section access would not work to handle a "front end login" to the AJAX application. Is that correct?

If so, then without purchasing publisher, how is authority to open the URL for a "Secure AJAX application" handled?

Finally, if the environment includes session license users as well, what security model is used to allow a specific user to open the AJAX application? I have some feedback that we could create a front end login page that requires username/password and uses teh qlikview scrmabling to make sure the passwords are not part of the AJAX URL, but need more definition about this type of solution and the effort to enable it. Is there anything available through the community to make something like this work?

The end goal is the ability to control who can open an AJAX URL to an application that only a few people are allowed to see.

Conceptually I think I understand some parts of how this would work, but how is it truly implemented out there in the community? I also would rather not require publisher to make this happen for AJAX customers.

Any specific thoughts from the group on how to configure this?

Thanks,
Todd