People
don't think security is the problem. Right up until Vesuvius erupts.
Unlike regular application code, security failures are often undetectable. In fact, the best security exploits
are unseen. That way, the Bad Guys can loiter around bleeding critical data from your organization virtually indefinitely, and occasionally injecting things to their own benefit. They can also tunnel through security holes in order to gain inside access to other, more critical resources in other applications and on other machines. Only kiddiez exploit security failures for instant pyrotechnics and blatant vandalism. One of the reasons why Java programming carries a higher price tag than "Git 'R Dun!" platforms is that security needs were part of the basic design both of the language and its standard platforms.
I repeat. When I first started working with J2EE, JSPs hadn't been invented yet. All we had were
Servlets, get offa my
lawn and in the snow. I've seen a LOT of webapps done by a lot of people, in a lot of organizations, and some of them in very critical roles. And NOT ONE of the ones with DIY security systems could stand up to even the wide-eyed innocent tricks that I myself know how to pull. I've got friends, however, who are downright Evil. One of them cracked a login system I'd been required to implement (in my pre-Java days) by taking advantage of a window of vulnerability that was only milliseconds in width.
Unless you are professionally trained in security and security is your full-time job, your system
is insecure. And even then, cracks have been known to happen. For the rest of us, cleverness just won't cut it. We don't have the time or budget to do security up right even if we have the skills and know-how. After all, security isn't "productive". Far smarter to exploit the documented, debugged, tested, and field-proven work of people who
are full-time security professionals than to fritter away effort on something that isn't going to hack it anyway (no pun intended).
So, no, I'm afraid you'll have to ask someone else if this is the course you intend to pursue. I just nag people.