"PeterJ" wrote : 1) By restricting who has access to the production server (only the sysadmin is allowed to deploy apps to production) and by using code reviews to make sure that no developer write a datasource fishing app. For really secure environments, an app server instance per app is also used. | Those are indeed the two most commonly used methods. I don't think that Java EE was really designed for a kind of 'shared hosting' scenario where applications that are potentially hostile to each other should be protected. The app server is not exactly a replacement for a fully multitasking protected/supervisor mode OS. By using an app server per app you're basically piggy backing on the process security model of your operating system. There are some variants here. In the most basic setup you run every app server on the same account. Theoretically, apps could still mess with other apps via the file system, although they can't access each other's address space directly. So, the next level is running each app server using different user accounts for each. Another option that's gaining in popularity lately is running an app server per OS instance on a hypervisor (XEN, VMWare, etc). This provides the maximum isolation possible on a single piece of hardware. It has certain other management advantages too, like separating ports being used, dedicating memory, dedicating cores, etc. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4251321#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...