I found that JBoss 3.0.6 has security problem. The default handler for pages is RootNotFoundHandler, which will disclose what had been deployed when I tried to load a page that is not exists.
I cannot found anu way to work around this except disabling it in jmx-console. Does anybody knows a way to disable it in the configuration files?