The first security decision is whether you need to secure the application. Since the focus of this book is on enterprise applications, we assume that you need to secure it. If you don't need security, feel free to skip to the next and final chapter on packaging and deploying your application.
In an enterprise setting, you will normally already have an identity management infrastructure of some kind in place—Microsoft Active Directory, an LDAP-server like Oracle Internet Directory, or some other solution. We don't want each application to handle its own users but do want it to integrate with the existing identity infrastructure. This means that all of the applications should delegate the authentication to the application server, and the application server must be integrated with the existing authentication mechanism.