if you want to use the portable container access control model to achieve this effect for a specific application, then you can do so by defining (in web.xml) a security-constraint containing an excluding auth-constraint (naming the methods you want to exclude).
the security-constraint would contain a web-resource-collection containing the "/*" url-pattern, and every other url-pattern appearing in a security-contraint of the application.
the web-resource-collection would list the methods you want to exclude, and the security-contraint would contain an auth-constraint naming no roles.
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=279267