-1 for having the security-manager optional.
If it is not optional, we are obviously not backward compatible.
someone having an 1.4 configuration with a custom access manager would be forced to change it anyway.
I believe most users use the default settings.
so, the question is whether we want to stress out the changes made to code base and have users being aware of that or if want to focus on backwards compatibility taking the risk that people don't change their config and can't start the repository afterwards. to me the first variant looks better. but i can live with both... angela