A reason I don't like dynamic locators

From: Bill Burke <>
Date: Thu, 03 Jul 2008 18:09:33 -0400

This is just an FYI, I'm not asking for any changes:

One thing that is kinda messed up with subresource locators has to do
with security. I can't truly authorize the request until all the
subresource locators have invoked because I won't know *reliably* what
the eventual target method will be. (You can of course authenticate).
Another reason why its better to define security constraints via URL
patterns rather than @RolesAllowed.

Bill Burke
JBoss, a division of Red Hat