The specification has a conflict. It first says dd always overrides the values specified in annotation. Then, it says dd can augment the values specified in annotation.
For example, as I tried with GlassFish 3.1.2, <security-role> defined in dd overrides the @RolesAllowed in the bean. Meanwhile, there is a design that <security-role> in dd is an additional role that is permitted to access a particular method.