Web-based systems like enterprise and e-government portals pose special requirements to information security. Todays portal platforms provide some security functionality, mainly targeting at supporting a single-sign-on for the underlying applications. We argue that single-sign-on is not sufficient, but rather a mature security service is needed as a central authorization instance. As access control is needed on different levels of a portal architecture, only this allows an integrated approach to security management. We present CSAP (Communication Security, Authentication, and Privacy), a flexible security system for enterprise and e-government portals. CSAP was originally developed within the EU-funded research project Webocracy. Meanwhile, various enhancements to CSAP have been made, which are being discussed in this paper. The major enhancement is a Metadata-based Access Control facility (MBAC) which allows more flexibility in highly open and heterogeneous systems. We use CSAP within two portal prototypes, one in an enterprise one in an e-government context, which are being presented as case studies.