As you may already noticed, JBoss Application Server v5.0 was released a week ago. It is a Java EE 5.0 certified application server as shown from the compatibility page at JavaEE Compatibility.
JBoss AS 5 has many security enhancements that the community will benefit from.
Apart from the JBoss Microcontainer integration, the security layer has pluggable authorization stacks, auditing and simplified configuration.
To achieve the highest form of security for your applications running on the JBoss Application Server, it is recommended to run the application server under a Java Security Manager. You can configure your permissions assigned to your applications using the following security manager policy as a template.
Look for my blog posts on JBossAS5 security here.