I'm looking to put in a simple web application on JBoss, and the JBoss instance sits on a server with PCI information (credit cards, etc) and possibly PII (SSN's, etc.). This can't be helped. It's unclear at this point if any of the applications we will be writing will directly access this sensitive data, or if we're merely trying to protect the overall server.
Does JBoss have an known issues with security or PCI compliance? Is there an app server that lends itself better to PCI? Anyone have any links to prior discussions in this forum or some whitepapers somewhere?
Architecturally, we want to stick with JBoss because we've already purchased it for other uses, but if the reasons are compelling, it may be worth investigating an alternative.