Hello - I am new to Jboss so I apologize if this is covered elsewhere. I have installed Jboss 5.1.0, and my application is up and running. I want to ensure I have the environment secured. Per the security articles I have found, I have enabled the proper security constraints to password protect the web console and the jmx console. However, I'm still a little unclear on how this mechanism is working. Specifically, I enabled the security constraints under the "default" folder structure (i.e. jboss\server\default). I've noticed that the same config files exist for my application being served by jboss (i.e. web.xml, jmx-console-users, login-config). Do I need to make the same changes there as well? Or do the settings stipulated in the "default" config files propagate out? Also, other than password protecting the consoles, what else should I be looking at from a security standpoint? Any tips would be greatly appreciated!