What aspect of security are you talking about - control over admiting users to the application, control over what the application is allowed to do, encryption of communication?
Control over users may already be built into the container your application runs in - what are you using?
Java provides for very fine-grained control over what a given application is allowed to do through security managers.
Bill
Note that the performance forum is not really the place for this question.
[ July 23, 2005: Message edited by: William Brogden ]