You are the architect of a JEE-based product that customers can configure to meet their own security requirements. You want to enforce basic without sacrificing customers ability to customize the product.
Which is the best method to support both requirements?
A. Define base roles and users declaratively
B. Define base roles and users programmatically
C. Build a custom security service to handle authorization
D. Customize the JRE sandbox model by using local variables