A few years ago, when I first started working with J2EE and general web architectures, the "rule of thumb" was that is is best to minimise the amount of functionality that was placed on servers in the DMZ (De-militarized Zone).

Consequently, it was normal and recommended to place J2EE (EJB etc) logic behind the DMZ, and even the Servlet/JSP container behind the DMZ if possible - thus resulting in the web servers alone being in the DMZ.

However, nowadays, there seems to be a shift away from this, and in fact I have seen a number of recommended architectures that include not only the JSP/Servlets, but also EJB container within the DMZ (accessing a database via the second firewall. Oracle for example, seems to be quite ok with placing the OC4J in the DMZ.

1) Are my observations correct?

2) What has changed over the last few years that makes it ok nowadays to place such functionality in the semi-insecure DMZ zone?

All help greatly appreciated.