This definitely sounds like JAAS isn't picking up on your changes. You saw the comments in the "Update for 4.0.2"? I haven't tried to secure jmx-console before, but I have used the same JAAS mechanisms it uses, and usually the problem boils down to something being out of sync in jboss-web.xml or the login-config.xml file.
Joined: Jul 07, 2004
Yes, I saw them, and I event tried it with a copy of the user and roles properties files in the WEB-INF/classes folder.