Servlet Security
Currently, we have a single Java web app running. This app's architecture is a mess, because the developer who implemented "the web part" had never done Java webapps before, so he used the only "model" he was used to: PHP.
As a result, there's a lot of business logic in the JSPs, which makes it pretty hard to test, and it completely ignores that its running inside a container.
The app's security uses a programmatic model, and is pretty badly implemented. The login page creates an "operator" bean and puts it in the HttpSession. Then, each JSP has a <jsp:useBean/> tag, which looks for this "operator" bean. If the session has expired, the result is a "InstantiationException: bean operator not found within scope" error.
The error page tries to differentiate between a "regular" error and a "bean operator not found within scope" error using javax.servlet.error.message, which is pretty fragile. The net result is that when the session expires, the user gets a cryptic error page and the app logs an ERROR which is not an error.
I have configured log4j to e-mail me all uncaught errors, which means I'm getting lots of e-mails reporting expired sessions.

I knew this implementation was bad, but the flood of e-mail has made me fix it now. In a (near) future, we're going to need a SSO solution, but for now, I'm using plain Servlet CMS; I hope it won't be too difficult to replace it when the time comes.