Follow-up..You may have seen my previous posts about security :) That occured because I was trying to get setup to do a webapp on a consultant basis.
Meanwhile, a version of JBoss I slid in at work while no one was looking that deploys our continuous integration engine's build servlet (cruisecontrol) has taken on more and more responsibilities.
So, authorization is no longer an academic question. I have to bring it up quick!
Today it just became a critical system (very-cool!) but a side-effect is that the app that was just installed needs login authentication to keep certain folks out of certain areas of the web site. There are no ejb's involved - it's a wiki for those who care.
Question remains: if trying to basic or form authenticate a web app without ejb's using the UsersRoles Login module then where do I put the .properties where they are available but serve-able!
I found for my self locate those properties files into your $JBOSSHOME/conf/confname directory.
Also You probably can locate it into ear archive (never tried)