...
1. Locate the <security-constrain> constraint> element (around line 101) in the file
...
4. Note that it is not good practice to run any web service as a privileged user (e.g. "root"). Therefore, to minimizie your risk overall, you should run JBoss under an unprivileged account.