Let's face it, security is a painful subject. Far too often, developers take the attitude that security is “not my problem,” leaving securing their applications up to the nameless, faceless security people in an organization. The results are tragic. It seems like almost daily you hear of major Web sites being hacked or defaced, sensitive information being stolen, or massive fraud being committed as a direct result of that attitude. Is this the fault of these security people? No, the reality is that building secure systems is the job of all developers, not just a privileged and knowledgeable few.

However, due to the way that WebSphere's J2EE security works, it's easy to get away with that attitude. By default, ...