In trying to fit together all of the best practice advice we're collecting, it's become pretty clear that many folks in the Java world have gotten so deep into their particular ecosystem that they have forgetten that others exist. Recommendations conflict. One camp rallies around "Use our marvelous class library, and do X, not Y!" (Where Y is something like embedded raw Java in JSPs), and another camp has a wonderful set of data access patterns that, uh, end up requiring intermediate bean objects to avoid putting raw Java in JSPs (thus cancelling out one of the benefits of the patterns). One camp decries putting anything besides cached data in the session object, while another camp has an otherwise marvelous form validation strategy that pretty much requires stuffing form data into the session object. Hello, leakage!
I get the impressions of small groups working in isolation, each clawing through the pain of building J2EE apps, offering up their particular scar tissue as a solution without first stopping to share notes.