I'm not 100% sure what your current setup looks like..so I hope none of this is way off..
From what I can gather, your Hibernate setup is being done client side? I would expose the `dao` or `service` through JNDI on JBoss. This can be tightly integrated into JBoss. The client could then access the JNDI over HTTP(S) using the HTTP Invoker.
Of course, in all this..you could just as easily expose a web-service or use something like Hessian. Either way, you've got options
I would not expose my SessionFactory because that would mean managing the sessions over the client. Managing the session (lazy load errors) is tough enough
I hope this provided at least a little bit of insight. Feel free to clarify the current way the application is being implemented.
Also..how are you trying to "limit their access" to the "database"? Couldn't you just make the user only have local priviledges in your DBMS? Clarify what local means?
Best of luck,