JBossAS 5.1.0 GA provides jmx-remoting.sar compliant to JSR 160. Unfortunately the service is not secured and doesn't provide any way to secure it.
However the JMX API provides several mechanisms allowing authentication and authorization. Authentication can easily done against a login-module.
A forwarder can be implemented to extend the authorization against a role based mechanism.