Exactly, I agree with anonymous wrote : A missing login-required should be interpreted as null, and delegate to the more general widcard.
And that's where dom4j and the existing DTD are messing with us. Because there isn't a way to tell the login-required isn't there. Dom4j insists on saying it is false, per existing DTD, even if it isn't there. Now people who don't want to use the new functionality can keep using the old DTD. The "forcing" is meant to make sure one site uses the same DTD for all page.xml, because otherwise a single page could have an older DTD, which could be easy to overlook, e.g. copy and paste from an example. The overlooked DTD would make that page less secure, no login-required, a bad oops. The "forcing" is in a well isolated piece of the patch (yet to submit 3rd version) so it can/could be removed/not incorporated by itself. I think it is figured out relatively nicely, so if it doesn't come across clearly I'll be happy to answer questions. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4028015#4028015 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4028015 _______________________________________________ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user