Hi!
I want to start a discussion about application security issues.
From my point of view I see 2 possibilities:
1. Building a security concept inside the application like in the car rental system example.
2. Using a default mechanism of the application server.
The first one seems to be more flexible especially for internet applications.
Considering an intranet solution, where every user has an account it may be nice to use the
security mechanisms defined by the application server and not to implement them. Or is this
a "bad solution" and only services (e.g. a web server using the beans) should have application
server accounts? Has everyone experiences with this issue?
