thomas and myself had a private conversation on that issue and found a compromise:
have everything in the security configuration optional would avoid any misconception regarding the relation between security-manager and access-manager. i.e. change dtd from <!ELEMENT Security (SecurityManager, AccessManager, LoginModule?)> to <!ELEMENT Security (SecurityManager?, AccessManager?, LoginModule?)> and change the configuration parsing and repository initialization accordingly. i will open an issue for that. angela
