Here is a patch to the beanshell manual (servletmode.xml, which I believe turns into bshmanual.html) which adds an example configuration to request a password when using the /eval servlet. This provided a bit more security, and it's important that people know how to set this up.
This adds the security-constraint, login-config and security-role entries needed in the web.xml file.
Ticket has been migrated to github.
Please follow up on this over here: https://github.com/beanshell/beanshell/issues/475