No problem, I'm happy to help.
As to properties files, I just included them inside the jar at root level. This effectively places them in the classpath. I then tend to load them via getClass.getResourceAsStream("jboss.properties") and pass the Properties object as an argument to the InitialContext constructor.
As to security, you need to have made a very detailed reading of the Jboss documentation to work out what to do.
( It's all at http://www.jboss.org/online-manual/HTML/ch12s78.html )
-The system property "java.security.auth.login.config" must be set to the URI of an authentication config file.
-The config file registers the 'org.jboss.security.ClientLoginModule'
which integrates the local JVM with the JBoss server. Look at their example.
-In the code, create a LoginContext as described in the Javadocs and login.
I got all this working nicely with a stand-alone client. I posted the auth.conf file up on the website and everything worked fine. The problem came when I tried to use WebStart to launch the application. Even when WebStart grants 'all-permissions' this does not include the permission to set system properties like "java.security.auth.login.config". As far as I can see, there is no way to register the JAAS components properly.
For this reason, I stopped using JAAS. If you find a work-around I'd like to hear it.
The optional JAAS library for JDK1.3 has a 'feature' that causes it to look for login modules from the system classloader! JAAS included in JDK1.4 has been fixed. The workaround is to put your login module in the JRE/lib/ext dir! (Sad but true!)
I have the same problem with webstart. I tried all the above, but I keep on getting 'unable to instantiate login module'. With ordinary stand-alone client everything works fine.