On the server side, we probably should be able to configure the security like our other subsystems (e.g. so we can share the same userid + password with the jmx console if desired or have a separate identity).
One reference that describes how jconsole passed the authentication is here: http://java.sun.com/developer/technicalArticles/J2SE/jconsole.html :
"JConsole will pass the user name and password as client credentials as authentication to the RMI connector server by setting the "jmx.remote.credentials" property to these values in the environment map for establishing the connection."
Perhaps we can support passing credentials the JConsole way and the org.jboss.security.SecurityContext way.