If you have not noticed Rajesh's email on the JBoss.org development mailing list, then you should look at the new JBoss 4.2.0.GA release to the community.
You can download it from:
The release notes:
For security, the following may be interesting:
[ JBAS-1824 ] JACC: * in web.xml should allow configurable authorization bypass
[ JBAS-2895 ] Extend SecureIdentityLoginModule to externalize the secret
[ JBAS-3400 ] JaasSecurityManagerService can show security provider/JCA algorithm information
[ JBAS-1537 ] When Tomcat error handler is invoked, JBossGenericPrincipal is returned instead of custom principal
[ JBAS-4158 ] JACC:WebUserDataPermission creation for unchecked policy should consider excluded constraints
[ JBAS-4149 ] Update Jacc Authorization to consider deployment level roles
There are other security related stuff in the release.
If you have an opportunity, just use it.