This is just an FYI, I'm not asking for any changes:
One thing that is kinda messed up with subresource locators has to do
with security. I can't truly authorize the request until all the
subresource locators have invoked because I won't know *reliably* what
the eventual target method will be. (You can of course authenticate).
Another reason why its better to define security constraints via URL
patterns rather than @RolesAllowed.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com