We're evaluating JBoss/Tomcat in our small-scale hosting service. Therefore I have some questions about how to properly configure JBoss/Tomcat to achieve state in which user can deploy his app from within his linux account, his servlets/ejb's can access just his own resources. (if this is possible) - from what linux account should we run JBoss, etc...?
Maybe this question has more to do with java security than jboss/tomcat security(?) If so, where to look for some good info?