At the moment deployments of EJBCA required that the user has write privileges to the JBoss standalone (/deployments/) directory.
It would be nice if we could support providing a separate directory from the JBoss server home where the EJBCA application, and any relevant third-party libs, would get deployed instead.
In combination with some special init/config scripts for JBoss, this would allow us to keep the JBoss deployment mostly intact (except perhaps for the necessary changes for PKCS#11 usage - although maybe even this could be overridden in some way). This could make the JBoss upgrades much more independent from EJBCA, allow for easier patching of JBoss etc.
Something similar has been already done in one of the customer projects (where customer had some rather invasive requirements on directory structure).