Both the jmx-console and web-console are standard servlet 2.3 deployments and can be secured using J2EE role based security. Both also have a skeleton setup to allow one to easily enable security using username/password/role mappings found in the jmx-console.war and web-console.war deployments in the corresponding WEB-INF/classes users.properties and roles.properties files.