Given the increasing popularity of the web, it is no surprise that more and more applications are being developed for and ported to the internet.  However, as the usage of these web applications increases, so does the number of security threats and vulnerabilites that they are potentially susceptible to.  Firewalls and other traditional intrusion-detection systems are not enough to provide adequate  application security because most of these counter measures cannot distinguish between legitimate and illegitimate requests coming through a browser.  Andrew Stern, a director of security product marketing at F5 Networks expresses this sentiment by stating "If, through a Web browser, I can get my account information, I can get to your account information...those two requests look exactly the same to a traditional security system."  

Vulnerability issues therefore need to be addressed within the application itself.  Frank Nimphius, a Principal Product Manager at Oracle, in his white paper titled "J2EE Security in Oracle ADF Web Applications," suggests using J2EE security roles to secure web  applications created with Oracle's Application Development  Framework(ADF).  To do so, one must do the following in the application's deployment descriptor:

1. Configure application logins to require form-based authentication.
2. Protect the web application root URL by making sure that page navigation uses Struts Actions rather than directly accessing the JSP pages that render the view.
3. Store JSP source files in the WEB-INF directory to protect them from direct access.
4. Handle J2EE security roles in the view layer to enable or disable UI components.
5. Add J2EE security roles to Struts Actions.
6. Redirect users to where they previously arrived from when they request a Struts Action that they are not privileged to perform.
7. Programmatically evaluate J2EE roles in Struts Actions.

As Frank mentions early on in the paper: "Good defense is structured like an onion, with many outer layers protecting the core."  Therefore from a security standpoint this approach is ideal, since it would not rely on one single security measure to prevent abuse, but a layered approach using a combination of security measures to protect the application.