I was just looking at implementing a custom SubjectFactory and noticed that there's a circular dependency between SubjectFactory and DefaultSecurityManager. I assume that SubjectFactory requires SecurityManager just so that it can pass it to the created Subject, is that correct? If there's no other reason for it, wouldn't it be cleaner if a securityManager would be passed in as a second argument of createSubject(Map context)? Or even in the context itself, but I suppose a reference to SecurityManager is required for creating a Subject.
Kalle
