You can read about jabsorb (json-rpc) and inspect the methods that vosao,js exposes.
I've never added json-rpc services, but I've looked at how authentication works.
I've also tried to modify some services but I gave up because I find the server side code for jabsorb too old. It has a way to inspect properties that was implemented before annotations. So if your object contains private data or other methods, it can be really hard not to expose them