If you install a jboss-4.0.4.GA default configuration using the installer jar the jmx-console servlet and the http-invoker servlet are both secured (admin user and admin as default password). If a client wants to get the initial naming context over HTTP with the following jndi properties
an exception was thrown. With the security disabled http-invoker (modified jboss-web.xml and web.xml) an initial (naming) context can be created. It's not possible, to set the users credentials to the factory's properties. What's wrong? Is this a bug or a feature?