When you use the org.jboss.security.auth.spi.UsersRolesLoginModule for authentication, you need to create a users.properties file in the same directory as the configuration files for your JBoss instance - "instance"/conf. So if you run the default instance, the file needs to be in server/default/conf of your 3.2.0 distribution. In your case, it will need to be in server/all/conf.

The file contains users and their passwords, one user per line in the following format:
username=password

So you'll need to create the file as it doesn't exist by default.

Sorry. A little distracted. The other file you will need is a roles.properties that specifies the roles that the login fulfils. This all ties together like this:

In your server/all/jmx-console.war/WEB-INF directory, you will have a jboss-service.xml that will have a setting to turn on JAAS authentication for the scurity domain.

<jboss-web>
<!-- Uncomment the security-domain to enable security. You will
need to edit the htmladaptor login configuration to setup the
login modules used to authentication users.
-->
<security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>

In web.xml in the same directory, you will set servlet security, with the following:

<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application

<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JBoss JMX Console</realm-name>
</login-config>

<security-role>
<role-name>JBossAdmin</role-name>
</security-role>

Essentially, you do BASIC authentication and anyone authenticated who has a security role of JBossAdmin can access all jmx-console pages - review servlet security mechanisms to understand this part better.

Now, say you want a user Frodo with password Samwise to be able to be able to access the jmx-console.

So in users.properties, you should at least have the line:
Frodo=Samwise

Now in roles.properties, you want Frodo to at least have the role, JBossAdmin which is the security role required to access jmx-console. The line in the file is:
Frodo=JBossAdmin

An authenticated user can have more than one role, with roles separated by commas.

Hope that helps and makes sense.

OK. Go back to basics. Try commenting out the security-constraint, the login-config and security-role from your web.xml. Comment out the security-domain in jboss-web.xml. Restart it. We've just turned off authentication.

If that doesn't fix it then you have a problem - either it is not the instance you think it is, or there is something else overriding your authentication method.

I assume, you are starting the "all" instance via either:
run.sh -c all
or
run.bat -c all

Also, I assume that server/all/login-config.xml has the following entry uncommented in it?

<application-policy name = "jmx-console">

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />

</application-policy>