The JMX Invoker is secured using the security domain java:/jaas/jmx-console. However, there appears to be no way to specify a particular role (e.g., JBossAdmin).

This means that if a "userA" is added to the jmx-console-users.properties file, but "userA" is not added to any role, "userA" still has the privilege to perform JMX invoker requests, such as shutdown.

Obviously one solution in this case is to not add "userA" to the jmx-console-users.properties file.

However, the problem is more acute when a custom login module is developed. For example, a system administrator could develop a custom login module which validates a user against the operating system userid and password. The custom login module then uses another mechanism (e.g., flat file or database) to define the roles allowed for each user. However, since no role is required, any valid user on the system (e.g., "guest") would be granted access to the JMX Invoker.