hi bertrand
What I definitely want to keep is the "if using JCR, don't use any other access control mechanism" constraint, and if people do otherwise it's their problem.
no this is not the case. IMHO you are completely mistaken here. if our customers 'do otherwise' (and they usually do for various reasons) it falls back on our products no matter what. it's our responsibility to make sure that our products are secure out of the box. making features available and usable that compromise this, is not only a threat for an individual customer but for us as a company. kind regards angela
