We increasingly rely on complex applications that are typically distributed and implemented in systems that must have high reliability and security. Some of these applications, e.g., medical, financial, military, and legal, additionally require compliance with regulatory standards. Integration of these applications is achieved using a Web Application Server, a type of middleware with a global enterprise model. We consider the security needed to support such type of middleware, present patterns that can be used to build secure middleware, and show how to combine them to provide security to specific functions. We see the secure architecture as a composition of functional (unsecured) patterns with patterns that provide specific security functions. We show in some detail how we can start from general distribution and component patterns and add security patterns to build a secure middleware architecture.