I actually disagree with application security configurations as being the recommended practice. The domain model represents administrative concerns, and a security policy is certainly an administrative concern, at least a reference to which policy should be used. We really don't want people putting password files in their deployments do we?