I am still on JBoss 3.0.x so I am not sure how it is with the AFAIK still beta JBoss 4.0.
But here is how it should work:
What is the URL in the <security-domain> of your
In my case it is:
The last part of this URL is name of a JAAS application policy in your JBOSS_DIST/server/default/conf/login-config.xml
or what ever the name of the JAAS config file is with JBoss4.
Look of the "jmx-console" application policy and make sure it is not commented out.
On (JBOSS_DIST/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml) i have on security-domain tag this:
and it is confirmed that it is name of a JAAS application policy in my (JBOSS_DIST/server/default/conf/login-config.xml)
'jmx-console' appears also here and both are not commented, so if i change java:/jaas/admin to
java:/jaas/jmx-console it is confirmed there is no effect at all.
Again and again, this accepts any login with any password. Could it be a problem of JBoss 4DR...??
Hey....!! I think i found a bug on JBoss 4 DR.. ;)
I installed the 3.2.2 RC1 and apllied all things as i said on my first message.
And it works great Sebastian! Thanx again !
Are you going to log it into the sf bug tracker?