The move toward jboss-web.xml instead of context.xml is a good thing. In many ways, the difference in behavior (META-INF and WEB-INF) between tomcat and JBAS is kind of annoying wrt context.xml
Security Domains
Since security domain configuration is usually shared between EE applications (Web, EJB, WS etc), I think it makes sense to have the sec domain config as part of the security subsystem in the domain model. This allows sharing of the config by reference.