-1 for having the security-manager optional. the security section has been completely reworked and the security-manager is a key functionality.
up to know the access-manager was the only mandatory element in the security section. with the new security code it could even be the other way round: the access manager could be make optional. apart: the access-manager interface has been heavily extended and the old methods have been deprecated. someone having an 1.4 configuration with a custom access manager would be forced to change it anyway. angela