In JR2.0, there is a security workspace created for all repository. It may not necessary for all the repository use case.
In JR3.0, we may have a pluggable security handling api outside core for following use case: * No security at all - up to application to handle security * Tech user login - like database logins (verify at the beginning of a connection) * Build-in acl - to repository/workspace/node level (include how to manage those acl data) -Guo