Edit the web.xml and the jboss-web.xml file in the jmx-console.war (which is actually a directory in the latest releases, so you can easily edit its contents) to enable security.
In the web.xml you uncomment the security-constraint. Note that the default authentication method is "basic" (your web browser will pop-up a password dialog). Also note that the role specified here is "JBossAdmin".
In the jboss-web.xml you uncomment the security domain (default: jmx-console).
Now edit the login-config.xml in the conf directory. This contains an application policy called "jmx-console" (the name must match the security domain in the jboss-web.xml). Here you configure the login module you want to use, similar to the others. Make sure your login module associates the role 'JBossAdmin' with the username you want to use to access the jmx-console (e.g. when you use the UsersRolesLoginModule, the file roles.properties should contain a line like "admin-user=JBossAdmin").
The link is: http://community.jboss.org/wiki/SecureTheJmxConsole
for those who find this topic by search:
There is a community courtesy notification for a severe security issue affecting some of the JBoss projects and products. Default security settings in web.xml protect only GET and POST protocols leaving another ones open. Please refer to the following Red Hat KBase article for more information:
Only when you apply the solution you can be sure that your JMX Console is protected.
Please note that Web Console has the same issue, and you need to apply the solution to it as well.
Also it is recommended to hash passwords in the config files. Read about how to do it in JBoss Getting Started guide.