Hi guys,

Lines like:

JBAS015596: Multiple EJB3 endpoints in the same deployment with different declared security roles; be aware this might be a security risk if you're not controlling allowed roles (@RolesAllowed) on each ws endpoint method.

... why is it a security risk to begin with?

Also: besides listing the same @RolesAllowed(values={}) clause on all endpoints...and besides putting the entire list in ejb-jar.xml of all EJB JAR modules ... is there an alternative to getting rid of this error? It would be wonderful if there was one that did not include application.xml (for technical reasons of my application )