Okay, I've uncommented the security for jmx-console, but j_security_check will accept any user and password and let me right into the jmx-console as well.
I have users.properties and roles.properties in conf, but it doesn't seem to be picking it up. There's something wrong with my security setup. Below is the XML for the
<application-policy name = "other">
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
try dropping users.properties & roles.properties into server/deploy/jmx-console.war/WEB-INF/classes and see if that makes a difference.
I figured it out. I didn't have my jboss-web.xml in there. I had the security settings in jmx-console commented out. Once I did that, it worked! I must remember that containers need to know things. They can't just read my mind.