In the developer profile, the admin-listener on port 4848 is non-secure by default (i.e., its "security-enabled" attribute is set to "false").
Dynamic reconfiguration of the admin-listener is not supported (it is supported for all listeners that handle user traffic, though). When you set the admin-listener's "security-enabled" attribute to "true" from the admin console, you will notice a "Restart Required" warning message in the upper left corner.
[Message sent by forum member 'jluehe' (jluehe)]
http://forums.java.net/jive/thread.jspa?messageID=294056