anonymous wrote : But they should neither be allowed to open the start page of JBoss (with all the Tomcat stats and so on), Some ways to do this: 1) Remove that application from being deployed (but that would mean even you cannot access it). 2) 2.a) Don't let it be the root application and instead setup your application as the root application http://www.jboss.org/community/docs/DOC-12261 2.b) Secure the ROOT.war application which shows the JBoss home page with password protected access (same as securing the jmx-console that i pointed out in my previous reply). anonymous wrote : especially not the jmx console and the web console. Same approach as above. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4221768#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...