Next generation middleware must support applications in the face of increasing diversity in interaction paradigms, end system types and network styles. Therefore, to secure applications, flexible security policies must be configured and indeed reconfigured at runtime. In this paper, we propose an approach combining the openness of reflective middleware with the flexibility of programmable security to meet such demands. In particular, we build a security architecture based on the Gridkit reflective middleware platform and the Obol security protocol programming language. The paper then describes a case study that uses flexible policies in order to secure remote procedure calls and secure group communication. We also evaluate this approach in terms of its security properties, flexibility, ease of use and extensibility.