Hello,
my personal opinion is that one of the biggest problem is application level security. Let us consider simple example. Customer enters orders and the manager approves or rejects orders. Administrator manages personal data of customers and manages. Here are the minimal security requirements for this application:
1. Administrator has no access to business data.
2. Customers and managers has no access to administration data.
3. Manager can approve/reject orders only from specific regions (region is a customer's attribute)
4. Customer can view/update only his orders
Suppose, this is
j2ee application. EJB security is not enough, because it does not cover instance level security (points 3 & 4). Moreover, we should protect not only data but
servlets(URLs) for points 1 & 2. If our application is integrated with some external system(for example, loading of orders from CSV files directly to database), we need protection on the database level. Does anybody know how to build the consistent security model for such applications? Are there books/tutorials that address these problems? I think this example is *TYPICAL*. Everybody is welcome to share his experience