I am re-developing a fairly simple application where users can upload files which will be stored in a directory or db2 (haven't decided yet). These files will be catagorized, and accessable to users/groups specified by the owner (person who uploads) of the file. I am still in the architectural planning phase, and have a few issues which must be resolved. First off, security. I was looking at using LDAP as a user directory and then specifying the protected resources and using role to group mappings. But I don't think this approach is dynamic enough. The users may need to define new groups, etc. and I don't want to have to redeploy the app every time this occurs. Obviously I could abandon the J2EE security model and do it entirely programatically, but I don't like this entirely "home-grown" approach. Could Struts help with this? Another related problem is how to secure the files which will reside outside of the application. Securing the web resources is one thing, but what about the actual files if they just reside in a directory on the web server. We are currently using a .htaccess file which points to a LDAP group, but this is obviously no good if the access to files, is going to be dynamic and controlled by the app. Any suggestions? Comments are most appreciated!