you can do your own JAAS configuration, have a look at javax.security.auth.login.Configuration. It will be a little bit more complicated than the JNDI properties, though.
If you don't care about portability you could also do the login with
org.jboss.security.SecurityAssociation.setPrinicpal / setCredentials
Thanks for the lead, I'm on it.
Another option that would work if do-able would be to put the auth.conf in the app.jar file and reference it there instead of out on the file system. Is that a simpler option?