With svn revision 1498875 I implemented read-only setup for the web console. You can login with user/user and then you'll be able to look at all the pages, but you'll be forbidden to make any actions. The similar setup can be made in karaf environment as well.
I think this is what most people want. After a bit of research it looks like crossing various security realms is pretty hard problem to overcome. For example, going from web to jmx to broker. For JMX we can get principal, but only if JMX is secured and that doesn't solve web console problem as we only use single principal to connect to the broker no matter who is using it. And in embedded mode we just go and use API directly.
I think we need to keep JMX access administration only and secured. But we can allow people read-only access to the web console and that should cover most use cases.