I am thinking we should choose a better name than "security-manager" given that people get confused with the Java Security Manager. Can we qualify it further as authentication-manager, authorization-manager etc, maybe?
Also, in AS5/6, for the web layer, we always go through the authorization layer for each security check. In my view, we should now stop doing that by default. Let the user configure that the web authorization goes through PicketBox authorization stack (needed for JACC, XACML etc). In AS5/6, there is a property that turns off the authz layer. But since 95% of web deployments dont care about JACC or XACML, we should turn it off by default/.