I have updated the security so now, the configuration is local to each module.
I had to move the security methods from the Api object to the ModuleSupport object. I consider moving these to a security manager later and use JAAS but I need to see the access control stuff on the JAAS side.
Now each module contains a security JMX attribute which describes the security rules of the module, the same as before. It allows you to configure the security of a module in the same configuration so it is better to module integrations. The CoreModule security attributes began to be pretty huge and was too much dependant of other modules.