I'm just in the process of getting the User app up and running in production
after many weeks on the test bench.

I just noticed that the login page only has http:, not https:. That
concerns me more than a little. Is there some web-fu in the background
which will encrypt the password, or is it sent across the wire as
plain-text? If the latter, is there some Jboss tweak that can be done to
make it use SSL?