After reading a number of articles & books about seam, I was very impressed. I looked forward to incorporating seam into my next company project.

However, there appears to be no documentation on how to incorporate seam while implementing a "defence in depth" security strategy, restricting access to the database from web server etc.

Typically a split deployment strategy would be employed however this of course is not possible with seam given that one would have no way to bind the JSF layer to the EJB layer through EL expressions, no dependency injection between components relying in different tiers etc.

With this in mind, can you guys at seam please let me know what is considered to be best practice here?

Thanks & regards,
John