JMX console and Web console are deployed on jboss like a ordinary application, so you just nead to set a ordinary Authentication and Authorization controll, this is already provided, you nead just uncomment.
webconsole: \deploy\management\console-mgr.sar\web-console.war\WEB-INF \jboss-web.xm
Thank you very much, Poyan.
In the mean time I've achieved successfully to setup the security for JMX and JBoss web console.
In the web.xml, there should be also uncommented the <security-constraint>.
Also important is to change the password in the ..-user.properties, which is by default 'admin'.
what about the tomcat status pages, how do i dissable them?