"bfagan" wrote : Please correct me if I'm mistaken, but my impression from the Seam Reference document is that if you enable Seam Remoting then any Entity bean that you've given a Seam @Name has it's data model exposed. | | Let's say you have a large corporation and a developer uses a wonderful IDE wizard to turn their database model into a package of easy to use Seam-enabled entities. Next the developer enables Seam Remoting to use an @WebRemote enabled session bean. | | Any competitor to said large corporation can search javascript segments for Seam.Component.newInstance() methods, call out to the Seam Remoting URL garner information about the entities and reverse engineer a data model. | | It is clear that session beans require @WebRemote annotation. Why are entity beans automatically exposed without such an annotation? They are only exposed if they are the return value of a method marked @Remote. And only their state is exposed, not their methods. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3971497#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...