I've started a topic in the Remoting forum about secure remote classloading, which pertains strongly to the security framework of JBossAS.

The link is here: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=144403