JMX invoker authentication interceptor example doesn't make sense

The authentication interceptor on the jmx invoker references java:/jaas/jmx-console. Since the jmx-console.war classes and resources are no longer shared, this configuration example doesn't make sense. You would have to manually copy the users/roles property files out to the conf directory for them to be visible.

My recommendation would be to change the security-domain examples on the jmx invoker, jmx console and web console to all reference a new admin security domain that would use an admin-users.properties and admin-roles.properties file in the conf directory that we provide. It doesn't make any sense for the jmx-console and web consoles to use different security domains since web console depends on pages in the jmx-console application.

It would be better to unify them, and connect that with the jmx invoker. This would be easier to explain in the documentation and would make life easier on users. I'd go further and say that it would be even better if the security domains were active by default. Even though the username/password would still need to be changed, forcing the user to type "admin", "admin" to access the management features would do a better job of reminding them to secure these access points than leaving them wide open. For some reason, nobody seems to think twice about security when they aren't prompted for a password.