OK, I received an answer by Scott Stark through another channel. I haven't tried it yet, but because it could be interesting for other people to I post this follow-up to my own question:
module: src/main/org/jboss/security/auth/spi; files:
comments Update the AbstractServerLoginModule and subclasses overriding login to whether login completes successfully. This determines whether the phase should be performed. If the loginOk ivar is not set to true login, commit returns false and does not modify the Subject state. This necessary for chaining login modules together with control flags that do require the login module to complete its login.
Note: if you have custom login module subclasses that
override the login method of AbstractServerLoginModule or UsernamePasswordLoginModule you will need to update your code to property set the loginOk ivar.
Especially the Note is important for me. Thanks to Scott for seeking this out!