We've activated the jmx-invoker authentication which also forces twiddle authentication.
But we've got another problem - the shutdown also asks for authentication and for 4.0.1 shutdown doesn't support password parameter (another bug of 4.0.1).
It's not bug, it's a feature. You should be able to shutdown the server through twiddle as well. Look on the avaiable operations of the jboss.system:type=Server mbean, if I recall.