I was wondering about the same thing.
Maybe you could simply use FacesContext.getCurrentInstance()... if the login was to take place within a Faces context?
Otherwise you might try some of the classes in the org.jboss.web package, e.g. SecurityAssociationValve.activeRequest.get(); for the request and request.getSessionInternal(false); on the result of that to get the session.
I am not sure if this is the clean way of obtaining the HTTPServletRequest from the custom LoginModule. This should work
HttpServletRequest request = (HttpServletRequest) javax.security.jacc.PolicyContext.getContext("javax.servlet.http.HttpServletRequest");