We're actually going to start discussing it soon (maybe next week?). Start tracking the DeltaSpike dev list for more info. In the short term may I suggest Apache Shiro? It doesn't have full CDI support, but it's all POJO based, and creating producers for the objects you need would not be that difficult.
Shiro is a really nice security model especially since it handles instance/row level security. Unfortunately it's not CDI based which is a problem since it relies on the user providing a realm object which acts as a kind of security advisor and is invoked/calledback during security handling events by shiro core and ideally in a CDI application that Realm object would be CDI managed.
So you'd need to create some sort of hack where you provide a CDI aware delegating realm object which would look up the CDI bean manager and request the actual CDI Realm implementation and delegate the Realm interface calls to the CDI provided realm object.
I really do hope the deltaspike devs do consider the shiro security model and provide nice Annotations and JSF extensions for the security implementation to be hooked into the appropriate places in an application.
If you'd like to get involved with the discussions, please subscribe to the deltaspike-dev mailing list and let your voice be heard