So i just want to know how can i manage good peformance, scalability, security etc. etc...without using the application server
Your alternatives are really using some application server alternative, such a Spring, or write your own code to do a simmilar job as the application server.
I'd ask your clients what their objections are. They might be valid, a full-blown application server could be overkill. Or they might just have read some on some psedo-technical marketing site that application servers are no longer the way to go.
If the client has such a specific non-functional requirement they should be able to explain why it is so important. To my mind though when presented with non-functional requirements such as security, scalability etc. an application server is one of the components that jumps to the foreground.