Those are hard questions.
Are you worried about your client accessing these resources or are you worried about someone getting to these resources through the web server?
I think it is almost impossible to prevent a determined client/customer from reverse engineering your app. Most clients do not, because they don't see the value in taking the time to do so. If you are going to charge the client a boatload of money to upgrade/maintain the app, they may have more incentive. It is a balance that you have to find for your product, with your customers.
The best way to make it possible to impose the limits that you are asking about is to host the app on a machine and domain that you own...
vbk
[Message sent by forum member 'vbkraemer' (vbkraemer)]
http://forums.java.net/jive/thread.jspa?messageID=268358