It may be that I'm not understanding something but....how is everyone else making sure that no one is accessing mbeans? If role based security is not used (or maybe just authentication). Is everyone just removing the jmx-invoker-adaptor-server.sar?
Read the jmx chapter for examples of adding security to xmbeans via interceptors and check out the org.jboss.jmx.connector.invoker.AuthenticationInterceptor used by the current xmbean deployment of the jmx-invoker-adaptor-server.sar:
I was using 3.2.3 and couldn't figure out how to do it. BTW we do have the pay documentation.