My personal preference would be to enable a cache manager by default. If the optimal/recommended jsecurity configuration includes the use of a cache manger then the default configuration should use a basic cache manager implementation. More advanced users could disable or enhance this configuration.
+1
I also think we should try to make it as easy as possible to enable a different cache manager, like ehcache - since most professional users will probably want to do that.
