One day Bob’s boss called Bob into his office. “I’ve got an exciting new project for you!” his boss said. Bob groaned. “I know I’ve handed you some bad jobs in the past, but this one should be really fun... I’d like you to design the security for our company’s new eCommerce web site.” “Security” Bob said, “is hard and boring.” “No you’re wrong...” the boss said. “In J2EE 1.4, servlet security is supposed to be pretty cool.”

The boss continued, “Let me give you the elevator pitch to get you going, then we’ll go into details once you’ve had a chance to think this through.” “Ok,” Bob sighed. “Lay it on me.”

“As you know, this beer website is really hot right now. We’ve added several new features, and we’re getting a great response. Some of our users are happy with just the free recipes we offer, but a lot more people than we thought are willing to pay for our rare hops and other premium ingredients. Oh, and our Frequent Brewer program is a huge hit. If a user decides he’ll be a repeat ingredient buyer, he can pay a one time fee and upgrade to Brew Master status. A Brew Master get special discounts, and earns Frequent Brewer points which he can redeem for cool brew rewards.”

Bob continued to listen, mentally calculating the code he’ll have to write to implement all this, and kissing that tropical vacation goodbye. Meanwhile, the boss continued...

“But now we have to make sure that when one of our users makes a purchase, no one can swipe his credit card information. ...