<!ATTLIST page login-required (true|false) #IMPLIED> instead of "false" fixes the problem "on my machine". The bigger problem though would be people who don't change the DTD e.g. from 1.2 to either 1.2.1 or 1.3 and still get the "false" instead of recognizing it isn't defined. So a login-required that isn't defined acts like a login-required="false", which trying to implement JBSEAM-1009 is bad. One answer would be "well, then let's forget about JBSEAM-1009". Not a good answer. Meanwhile I might have a better patch for 1009 working also for overriding <restrict ...> specific over less specific wildcard (need to test), and am using a nicer pages element attribute name for the on/off flag for this feature weaker-explicit-security="true" Any guidance, e.g. whether instead of login-required we now should use require-login to ensure #IMPLIED. Should we replace it, or have both in the code? Doesn't sound good. I hope Seam isn't too old yet to allow change for the better. Sure, one could say "have to switch to new DTD anyway to comply for weaker-explicit-security", but the problem are older whatever.page.xml files. Then, we could keep the DTD's ID of the pages.xml and compare all page.xml and throw an exception if on is a different version. That would be dom4j DocumentType method getPublicID? Or getSystemID? I want to get this to work in a way that works for everyone. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4027923#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...