This paper investigates implementation of J2EE-based Web system and its security problems, such as identity authentication, security audit, EJB transaction security, EJB method access control and database security.