Hi there,

I have a question regarding security of web applications related to server architecture. To be more precise:
I'm designing a Java Enterprise application with a JSP web layer and a Spring/Hibernate service/dao layer. I want to deploy this application on one JBoss server in one VM
as I want the app to be lightweight and there are no specific reasons to put web and business on different physical servers.

But network people in my company have a different opinion on this. They regard this architecture as a security risk. They say that the web layer should be on a separate physical
machine in the DMZ. The business and DAO should be then on another machine which is protected from the outside.

As I am not all a security - network architecture expert, I'd like to have your opinions on this issue. The only risk that I can see, is that in my architecture, a hacker could very well
find database connection info and database user/passwords if he manages to penetrate the JBoss machine. But as the database is on another separate machine in the protected zone, he shouldn't be able to reach it.

What other potential risks - apart from giving a hacker details to launch eg. DOS attacks - do you see in my setup?
Which arguments can I use to convince my network colleagues that my setup is safe or at least safe enough...?

Any help is very much appreciated!