By the time we ship M2, we should be able to articulate our security plans.
- Will we rely entirely upon Spring Security? If not, what will we do in its absence?
- How much of its feature set will we expose client side?
My suspicion is that we won't be able to provide all the bells and whistles, e.g. hiding or disabling pieces of the UI that the user is not authorized for.