The default configuration which ships with JBoss EAP is quite good. However, in a non-development environment there are usually a few things you change, at least in the non-container world. All of the below stuff was done on EAP7. Keep in mind that this was done for the non-container world.

Before changing anything, we take a snapshot:

:take-snapshot

In a production environment, you probably want to control the deployment, so what is deployed when. Therefore we remove the deployment scanner:

try
  /subsystem=deployment-scanner:read-resource
  /subsystem=deployment-scanner:remove
catch
  echo
end-try

The example datasource is also nothing you would need, so let’s remove it along with the H2 driver:

if (outcome == success) of /subsystem=datasources/data-source=ExampleDS:read-resource
  /subsystem=datasources/data-source=ExampleDS:disable
  /subsystem=datasources/data-source=ExampleDS:remove
end-if
if (outcome == success) of /subsystem=datasources/jdbc-driver=h2:read-resource
  /subsystem=datasources/jdbc-driver=h2:remove
end-if

If you use properties in deployment descriptors, it might be good to enable their replacement:

if (result != true) of /subsystem=ee:read-attribute(name=jboss-descriptor-property-replacement)
  /subsystem=ee:write-attribute(name=jboss-descriptor-property-replacement,value=true)
end-if
if (result != false) of /subsystem=ee:read-attribute(name=annotation-property-replacement)
  /subsystem=ee:write-attribute(name=annotation-property-replacement,value=true)
end-if

To not expose any version information etc. for HTTP requests, you gotta tweak the undertow subsystem:

if (outcome == success) of /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header:read-resource
  /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header:remove
end-if
if (outcome == success) of /subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header:read-resource
  /subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header:remove
end-if
if (result == true) of /subsystem=undertow/servlet-container=default/setting=jsp:read-attribute(name=x-powered-by)
  /subsystem=undertow/servlet-container=default/setting=jsp:write-attribute(name=x-powered-by,value=false)
end-if
if (outcome == success) of /subsystem=undertow/configuration=filter/response-header=server-header:read-resource
  /subsystem=undertow/configuration=filter/response-header=server-header:remove
end-if
if (outcome == success) of /subsystem=undertow/configuration=filter/response-header=x-powered-by-header:read-resource
  /subsystem=undertow/configuration=filter/response-header=x-powered-by-header:remove
end-if
if (outcome == success) of /subsystem=undertow/server=default-server/host=default-host/location=\/:read-resource
  /subsystem=undertow/server=default-server/host=default-host/location=\/:remove
end-if
if (outcome == success) of /subsystem=undertow/configuration=handler/file=welcome-content:read-resource
  /subsystem=undertow/configuration=handler/file=welcome-content:remove
end-if

Some audit logging (without logging the booting of the EAP):

if (result == true) of /core-service=management/access=audit/logger=audit-log:read-attribute(name=log-boot)
  /core-service=management/access=audit/logger=audit-log:write-attribute(name=log-boot,value=false)
end-if
if (result == false) of /core-service=management/access=audit/logger=audit-log:read-attribute(name=enabled)
  /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)
end-if
if (result != jboss.server.log.dir) of /core-service=management/access=audit/file-handler=file:read-attribute(name=relative-to)
  /core-service=management/access=audit/file-handler=file:write-attribute(name=relative-to,value="jboss.server.log.dir")
end-if

Don’t forget to make use of the CLI offline mode. So basically all of this was wrapped in the following:

embed-server
//the commands
stop-embedded-server

The commands try to be as idempotent as possible, so that it fits into automation.