The JBossAs component in EAP has the DownloadServerClasses property set to 'true' in 'production'. For a production environment it should default to 'false' to prevent download of non-EJB classes, which may cause information leakage.
This was addressed via: JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS (RHSA-2008:0831) JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server (RHSA-2008:0832) JBoss Enterprise Application Platform for RHEL 4 AS (RHSA-2008:0833) JBoss Enterprise Application Platform for RHEL 5 Server (RHSA-2008:0834)