I studied docs and your link about securing datasource passwords.
Tried to make as written, but it doesn't works in my situation.

IDEA: Client is authentificated using DB via "DatabaseServerLoginModule"
Client sends plain password but on server it is hashed in compared
with passwd field value that also is hashed
I need hide password in -ds.xml.
Client App logins to server using Security domain "IBAuthDomain"
user name and password is stored in DB in hashed view.
This configs works fine while
datasource not using <security-domain>IBSimpleDomain</>
but use sysdba masterkey in -ds.xml.

If I
comment in -ds.xml

<user-name>sysdba</user-name>
 <password>masterkey</password>

<!-- <security-domain>IBSimpleDomain</security-domain> -->

FILE: D:\JAVA\jboss-3.2.5\server\all\conf\login-config.xml

#############################################################

<application-policy name = "IBSimpleDomain">
 <authentication>
 <login-module code = "org.jboss.resource.security.SecureIdentityLoginModule" flag = "required">
 <module-option name = "UserName">sysdba</module-option>
 <module-option name = "Password">667f11fbdfef90b6d7b145018f031a36</module-option>
 <module-option name = "managedConnectionFactoryName">jboss.jca:servce=LocalTxCM,name=IBAuthDS1</module-option>
 <module-option name = "debug">true</module-option>
 </login-module>
 </authentication>
</application-policy>


<application-policy name = "IBAuthDomain">
 <authentication>
 <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
 <module-option name = "hashAlgorithm">MD5</module-option>
 <module-option name = "hashEncoding">base64</module-option>
 <module-option name = "dsJndiName">java:/IBAuthDS1</module-option>
 <module-option name = "principalsQuery">select USER_PASS from USERS u where u.USER_NAME=?</module-option>
 <module-option name = "rolesQuery">
 SELECT ROLE_NAME, 'Roles'
 FROM USERS U, USERS_GROUPS UG, GROUPS G,
 GROUPS_ROLES GP, ROLES R
 WHERE U.USER_ID = UG.USER_ID AND UG.GROUP_ID = G.GROUP_ID AND
 G.GROUP_ID = GP.GROUP_ID AND GP.ROLE_ID = R.ROLE_ID
 AND U.USER_NAME = ?
 </module-option>
 <module-option name = "debug">true</module-option>
 </login-module>
 </authentication>
</application-policy>



#############################################################

FILE: D:\JAVA\jboss-3.2.5\server\all\deploy\ibauth-ds.xml

#############################################################

<?xml version="1.0" encoding="UTF-8"?>
<!-- ==================================================================== -->
<!-- New ConnectionManager setup for firebird dbs using jca-jdbc xa driver-->
<!-- Build jmx-api (build/build.sh all) and view for config documentation -->
<!-- ==================================================================== -->
<connection-factories>
 <tx-connection-factory>
 <jndi-name>IBAuthDS1</jndi-name>
 <xa-transaction/>
 <adapter-display-name>Firebird Database Connector</adapter-display-name>
 <config-property name="Database" type="java.lang.String">localhost/3050:D:/JWORK/db/jfina.fdb</config-property>
 <user-name>sysdba</user-name>
 <password>masterkey</password>
<!-- <security-domain>IBSimpleDomain</security-domain> -->
 <min-pool-size>5</min-pool-size>
 </tx-connection-factory>
</connection-factories>

Everything works fine with config ( may be it bacause of CASE for keys username, password, and jboss.jca:service=TxCM not XaTxCM I don't know I absolute newbie sorry) :

<application-policy name = "IBSimpleDomain">
 <authentication>
 <login-module code = "org.jboss.resource.security.SecureIdentityLoginModule" flag = "required">
 <module-option name = "username">sysdba</module-option>
 <module-option name = "password">667f11fbdfef90b6d7b145018f031a36</module-option>
 <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=IBAuthDS1</module-option>
 <module-option name = "debug">true</module-option>
 </login-module>
 </authentication>
</application-policy>