I'm not stating that the data is insecure, but that the model is. A company's data model can constitute proprietary information or trade secret. What I'm blatantly saying is that as much as sessions beans require @WebRemote to have their methods exposed under Seam Remoting, entity beans in the same distribution should be afforded the same level of preventative measure. Instantiating a *new* object tells me plenty about how the database is modeled and in some cases can reveal proprietary information or trade secret. A developer may wish to prevent various entity beans from having their model exposed. I'll go a step further and say that entity beans should not have their model exposed by default, but that they should be configured with @WebRemote as well. It fosters uniformity and errs on the side of security. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3972331#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...