You need to secure the jmx-console web app.
Thanks, I'll try to figure it out.
However, shutdown.sh uses org.jboss.Shutdown class and I can't see any posibility to pass any credentials in Shutdown.java.
I guess, after securing JMX shutdown.sh script will stop working as well.
shutdown probably uses rmi connector to contact jmx mbean server (i haven't looked, you should check the code)
I don't know if there's a way currently to secure the jboss rmi connector. if there isn't you probably want to remove this service (html console will still keep on working)
In looking at the code (v3.0.4), the Shutdown class uses the jmx-console web application to perform the shutdown. The only two parameters that it currently accepts are host and port. So, I believe you are correct in stating that shutdown.sh will stop working once you have secured the jmx-console web application.
I think it would be trivial to modify Shutdown.java to accept two new parameters for username and password. However, this would only work if jmx-console was protected with basic authentication (username/password) as opposed to something like client side certificates.