I've been working on an extension that allows me to use the source of a request (host address) in a LoginModule. To drive this process, I need to use a different realm manager for the tomcat-jboss integration. Unfortunately the current integration class org.jboss.web.tomcat.tc4.EmbeddedTomcatService contains much of its interesting guts in private methods and attributes. I suggest that all of the methods in this class should be protected, to allow somewhat easier extension construction.
While I'm at it, I also suggest that the class name for the security manager realm be an attribute in the deployment .xml file, rather than being hard-coded into createWebContext() method.