OK, I need to authenticate based on more than j_username and j_password from the login form that the user gets redirected to.

I'd probably extend org.jboss.web.tomcat.security.AuthenticatorBase to make use of its existing logic, but override

public boolean authenticate(Request request, Response response, LoginConfig config) throws IOException

OK, now how do we specify that that class should be used for FORM based logins?