diff --git a/cmd/runmqserver/webserver.go b/cmd/runmqserver/webserver.go
index 4852288..273e7b8 100644
--- a/cmd/runmqserver/webserver.go
+++ b/cmd/runmqserver/webserver.go
@@ -21,7 +21,9 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"path/filepath"
+	"syscall"
 
 	"github.com/ibm-messaging/mq-container/internal/command"
 )
@@ -33,7 +35,22 @@ func startWebServer() error {
 		return nil
 	}
 	log.Println("Starting web server")
-	out, rc, err := command.RunAsMQM("strmqweb")
+	cmd := exec.Command("strmqweb")
+	// Set a default app password for the web server, if one isn't already set
+	_, set := os.LookupEnv("MQ_APP_PASSWORD")
+	log.Println(cmd.Env)
+	if !set {
+		// Take all current environment variables, and add the app password
+		cmd.Env = append(os.Environ(), "MQ_APP_PASSWORD=passw0rd")
+	}
+	log.Println(cmd.Env)
+	cmd.SysProcAttr = &syscall.SysProcAttr{}
+	uid, gid, err := command.LookupMQM()
+	if err != nil {
+		return err
+	}
+	cmd.SysProcAttr.Credential = &syscall.Credential{Uid: uint32(uid), Gid: uint32(gid)}
+	out, rc, err := command.RunCmd(cmd)
 	if err != nil {
 		log.Printf("Error %v starting web server: %v", rc, string(out))
 		return err
diff --git a/incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/mqwebuser.xml b/incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/mqwebuser.xml
index d5d2303..fb1f855 100644
--- a/incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/mqwebuser.xml
+++ b/incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/mqwebuser.xml
@@ -23,13 +23,15 @@
     </enterpriseApplication>
     <basicRegistry id="basic" realm="defaultRealm">
         <user name="admin" password="${env.MQ_ADMIN_PASSWORD}"/>
+        <!-- The app user will always get a default password of "passw0rd",
+             even if you don't set the environment variable.
+             See `webserver.go` -->
         <user name="app" password="${env.MQ_APP_PASSWORD}"/>
         <group name="MQWebUI">
             <member name="admin"/>
         </group>
         <group name="MQWebMessaging">
             <member name="app"/>
-            <member name="admin"/>
         </group>
     </basicRegistry>
     <variable name="httpHost" value="*"/>
diff --git a/test/docker/devconfig_test.go b/test/docker/devconfig_test.go
index 46a52d2..933100e 100644
--- a/test/docker/devconfig_test.go
+++ b/test/docker/devconfig_test.go
@@ -50,15 +50,14 @@ func TestDevGoldenPath(t *testing.T) {
 	waitForWebReady(t, cli, id, insecureTLSConfig)
 	t.Run("JMS", func(t *testing.T) {
 		// Run the JMS tests, with no password specified
-		runJMSTests(t, cli, id, false, "app", "")
+		runJMSTests(t, cli, id, false, "app", defaultAppPasswordOS)
 	})
 	t.Run("REST admin", func(t *testing.T) {
 		testRESTAdmin(t, cli, id, insecureTLSConfig)
 	})
-	t.Run("REST messaging as admin", func(t *testing.T) {
-		testRESTMessaging(t, cli, id, insecureTLSConfig, qm, "admin", devAdminPassword)
+	t.Run("REST messaging", func(t *testing.T) {
+		testRESTMessaging(t, cli, id, insecureTLSConfig, qm, "app", defaultAppPasswordWeb)
 	})
-	// Can't run the messaging tests as "app" with the defaults, because you can't have an empty password
 	// Stop the container cleanly
 	stopContainer(t, cli, id)
 }
@@ -73,11 +72,12 @@ func TestDevSecure(t *testing.T) {
 	}
 	const tlsPassPhrase string = "passw0rd"
 	qm := "qm1"
+	appPassword := "differentPassw0rd"
 	containerConfig := container.Config{
 		Env: []string{
 			"LICENSE=accept",
-			"MQ_QMGR_NAME=", qm,
-			"MQ_APP_PASSWORD=" + devAppPassword,
+			"MQ_QMGR_NAME=" + qm,
+			"MQ_APP_PASSWORD=" + appPassword,
 			"MQ_TLS_KEYSTORE=/var/tls/server.p12",
 			"MQ_TLS_PASSPHRASE=" + tlsPassPhrase,
 			"DEBUG=1",
@@ -111,17 +111,13 @@ func TestDevSecure(t *testing.T) {
 	waitForWebReady(t, cli, ctr.ID, createTLSConfig(t, cert, tlsPassPhrase))
 
 	t.Run("JMS", func(t *testing.T) {
-		// Run the JMS tests, with no password specified
-		runJMSTests(t, cli, ctr.ID, true, "app", devAppPassword)
+		runJMSTests(t, cli, ctr.ID, true, "app", appPassword)
 	})
 	t.Run("REST admin", func(t *testing.T) {
 		testRESTAdmin(t, cli, ctr.ID, insecureTLSConfig)
 	})
-	t.Run("REST messaging as admin", func(t *testing.T) {
-		testRESTMessaging(t, cli, ctr.ID, insecureTLSConfig, qm, "admin", devAdminPassword)
-	})
-	t.Run("REST messaging as app", func(t *testing.T) {
-		testRESTMessaging(t, cli, ctr.ID, insecureTLSConfig, qm, "app", devAppPassword)
+	t.Run("REST messaging", func(t *testing.T) {
+		testRESTMessaging(t, cli, ctr.ID, insecureTLSConfig, qm, "app", appPassword)
 	})
 
 	// Stop the container cleanly
@@ -152,7 +148,7 @@ func TestDevWebDisabled(t *testing.T) {
 	})
 	t.Run("JMS", func(t *testing.T) {
 		// Run the JMS tests, with no password specified
-		runJMSTests(t, cli, id, false, "app", "")
+		runJMSTests(t, cli, id, false, "app", defaultAppPasswordOS)
 	})
 	// Stop the container cleanly
 	stopContainer(t, cli, id)
diff --git a/test/docker/devconfig_test_util.go b/test/docker/devconfig_test_util.go
index 9e08127..1ca662a 100644
--- a/test/docker/devconfig_test_util.go
+++ b/test/docker/devconfig_test_util.go
@@ -36,8 +36,9 @@ import (
 	"github.com/docker/docker/client"
 )
 
-const devAdminPassword string = "passw0rd"
-const devAppPassword string = "passw0rd"
+const defaultAdminPassword string = "passw0rd"
+const defaultAppPasswordOS string = ""
+const defaultAppPasswordWeb string = "passw0rd"
 
 // Disable TLS verification (server uses a self-signed certificate by default,
 // so verification isn't useful anyway)
@@ -60,7 +61,7 @@ func waitForWebReady(t *testing.T, cli *client.Client, ID string, tlsConfig *tls
 		select {
 		case <-time.After(1 * time.Second):
 			req, err := http.NewRequest("GET", url, nil)
-			req.SetBasicAuth("admin", devAdminPassword)
+			req.SetBasicAuth("admin", defaultAdminPassword)
 			resp, err := httpClient.Do(req.WithContext(ctx))
 			if err == nil && resp.StatusCode == http.StatusOK {
 				t.Log("MQ web server is ready")
@@ -151,7 +152,7 @@ func testRESTAdmin(t *testing.T, cli *client.Client, ID string, tlsConfig *tls.C
 	}
 	url := fmt.Sprintf("https://localhost:%s/ibmmq/rest/v1/admin/installation", getPort(t, cli, ID, 9443))
 	req, err := http.NewRequest("GET", url, nil)
-	req.SetBasicAuth("admin", devAdminPassword)
+	req.SetBasicAuth("admin", defaultAdminPassword)
 	resp, err := httpClient.Do(req)
 	if err != nil {
 		t.Fatal(err)
diff --git a/test/messaging/src/main/java/com/ibm/mqcontainer/test/JMSTests.java b/test/messaging/src/main/java/com/ibm/mqcontainer/test/JMSTests.java
index 44f5d4e..df0575d 100644
--- a/test/messaging/src/main/java/com/ibm/mqcontainer/test/JMSTests.java
+++ b/test/messaging/src/main/java/com/ibm/mqcontainer/test/JMSTests.java
@@ -73,6 +73,10 @@ class JMSTests {
         factory.setTransportType(WMQConstants.WMQ_CM_CLIENT);
         factory.setChannel(channel);
         factory.setConnectionNameList(String.format("%s(1414)", addr));
+        // If a password is set, make sure it gets sent to the queue manager for authentication
+        if (password != null) {
+            factory.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, true);
+        }
         // factory.setClientReconnectOptions(WMQConstants.WMQ_CLIENT_RECONNECT);
         if (TRUSTSTORE == null) {
             LOGGER.info("Not using TLS");