That's the reason why starting JBossAS-4.2.x version, various services of JBoss by default bind to localhost. See this http://www.jboss.org/community/docs/DOC-10179 That page also has links to other pages which explain how to secure the JBoss instance.
Hmm, anyway, you can still find many sites with JBoss 4.2.x releases unsecured by Google search.
I don't want to blame on JBoss team. Just to let you know about it.
I should point out that JBoss EAP (the for-fee version) comes with the services already secured. So secure, in fact, that you cannot access them (there is no valid login id defined). So customers of Red Hat that purchase support to JBoss EAP are already covered.