JBoss 3.0.0 uses HTML adaptor from Sun. As far as I remember it does support a simple plain text username, password authentication (which itself is not very secure). This is most likely documented somewhere in the Sun RI 1.0 documentation or API doc.
Other options are to disable the adaptor in a production system or protect the port 8082 from external connection attempts. Or update to 3.0.1 or above.