posted 11 years ago
If I want to have security authorization for a method, I can have a <method-permission> tag in the DD for that method and specify a <role-name> who can access that method. If I do this, I am enforcing security authorization by specifying that only a particular role can access that method. But, If I want to by-pass security authorization for a method, I simply omit the method-permission tag for that method. Thus for each method, I can decide whether to bypass or enforce authorization. In other words, I can bypass / enforce security authorization on a method-by-method basis.