Ok, I hit the submit instead of the preview button. Dang. No way to erase or modify a message I have just posted. Double dang.
The default configuration has a whole bunch of stuff in the deploy directory. Which bits depend on which other bits? Is it even possible to know, or is it all buried inside the code of the various components? Where is the documentation describing how to find this out?
I have been reading the JBoss admin and development guide, but it's only for version 3.6.3. Is there a version for 4.0.4?
How do I secure the app? The 3.6.3 admin guide has a section on dong it, but it's dreadful and it mentions jmx-invoker-adaptor-server.sar which is not in the 4.0.4 deploy direcory.
Then there's the issue of users and groups. Is it simply the case that you write a jaas login module and drop it on the path ... somewhere? Does jboss even have some sort of standard files or ldap based security module? Where is it?
Then, of course, there's the portal. It has one security group named "Authentiated: or something. Beats me how it works that out.
I have to tell you - glassfish makes a great deal more sense at this point. The deploy directory is not cluttered with a whole bunch of internal bumf (it's amazing that the spot where you put your webapps is the same as the spot where the http invoker module goes - JBoss was clearly not built with the applications programmer in mind), and all the admin gear runs on a separate port that can be blocked at the router.
At this point, the only way I'd expose the jboss port to the net is if I was running an http proxy that checked authentication - I don't know what jboss is exposing, on what urls.
Basically - it's all awful.
I mean, back on the subject of URLs, the http service has to know, somehow, which components to direct incoming HTTP requests at. The web serviceces, the jsp directories, and so on. Is there some sort of monitoring for that? Can I ask the service, to report to me the list of what web application all incoming urs might be sent to?
Kindly forgive me for multiple violations of the forum good behaviour rules. Most of the answers are - of course - on the wiki.