I generally follow what I wrote on http://hudson.gotdns.com/wiki/display/HUDSON/JBoss with security enabled public instance.

For the public instance I use <your server>=public (copy of default).
For internal instance I use <your server>=default.

unzip JBoss EAP
Edit $JBOSS_HOME/server/<your server>/deploy/jboss-web.deployer/server.xml and change `<Connector port="8080"' to `<Connector port="8585"'.
#see startup script for the below. It's workarounded
#Edit $JBOSS_HOME/server/bin/run.sh and set -Djava.awt.headless=true somewhere in JAVA_OPTS (the idea is to not have this variable exported)
mkdir hudson_<version>
cp hudson.war hudson_<version>

#public instance only for security
cd hudson_<version>; mkdir unzipped; cd unzipped
unzip ../hudson.war
cd WEB-INF
create jboss-web.xml containing:
            <jboss-web>
                <!-- For public in production
                <context-root>/</context-root>
                <virtual-host>hudson.jboss.org</virtual-host>
                -->
                <security-domain>java:/jaas/jmx-console</security-domain>
            </jboss-web>
cd  $JBOSS_HOME/server/<your server>/conf/props
add "hudson=admin" to jmx-console-roles.properties
add "hudson=passwd" to jmx-console-users.properties
edit $JBOSS_HOME/server/<your server>/conf/login-config.xml
  uncomment "<application-policy name = "jmx-console">" lines
edit $JBOSS_HOME/server/<your server>/deploy/jmx-console.war/WEB-INF/jboss-web.xml
  uncomment <security-domain>
edit $JBOSS_HOME/server/<your server>/deploy/jmx-console.war/WEB-INF/web.xml
  uncomment lines after "A security constraint that restricts access..."
#end public instance only

Start server -b 0.0.0.0 -c <your server> -u <random mcast address> and different HUDSON_HOME for public.
deploy by creating a symbolic in the server's deploy dir:
  ln -s ~/hudson_<version>/hudson.war .
  ln -s ~/hudson_<version>/unzipped hudson.war (for the public instance)

Start server with -Djava.awt.headless=true

#public instance only
enable security
set up number of executors to "0"
install artifacts receiver plug-in
install subset of plugins (not all required)
#end public instance only

install public artifacts publisher plugin
install plugins
Other configuration options as applicable.

TODO:
#treeview-min.js from yahoo.widget.treeview download to scripts/yui; should be fixed in feature versions of hudson
#jsp redirect to avoid issues
#deploy hudson to server root to avoid user typing /hudson

HOWTO:
restart hudson from the jmx console void reload method - search for "//localhost/hudson"