Create an account in Linux, say "jboss", and give that account exclusive rights to JBOSS_HOME (set access right to 600 or 700). Use that account to run JBoss AS. Now only someone who knows the password to the "jboss" account can deploy anything.
It is also a good idea to also follow the security settings outlined in the link that Jaikiran posted so that could restrict access to the jmx console and other things which will let users get around the restrictions imposed by the "jboss" account.
Abhishek Mhptr wrote:can we identify how and when JVM verifies the signature in JBOSS ?
No. You code is in the WAR and thus cannot catch the exception - your code has not even started running, the JVM is still trying to open the WAR file.
Can we add some code(functionality) while verifying the WAR file,
so that WAR file with specific signature will only get deployed in JBOSS ?
You code can check that it is running on JBoss AS by checking for the presence of JBoss AS-specific files. I'm not sure if there is a way to ask the JVM to supply the signature information used to sign the WAR file.