My apps use role-based security with a custom UsernamePasswordLoginModule and HTTPS/BASIC auth. Everything works fine. Now one of my customers is requesting remove completely the security for the web services.. I don't want to package two different ears, one for this customer and one from everybody else.. Can someone suggest a way to "disable" the security constraints externally or a different (better!) way to accomplish this ?