I am only new to JAAS in JBoss and as such may not be right, however I don't think your statement is correct.
My understanding is that although you do not need to specify an auth.conf in your webapp you still have to specify the security domain that you are working with. jboss-web.xml is used to store this data and acts as a replacement for auth.conf if you like. The login-config.xml is not a replacement for auth.conf as your auth.conf would only generally point to a configuration in login-config.xml that is wishes to use (not replace its use, at least that is my understanding on how it integrates with JBoss and EJB etc..) So my understanding is that jboss-web.xml is more of a replacement of auth.conf for your webapp.
Hope this helps, somebody correct me if I am wrong.
So my understanding is that jboss-web.xml is more of a replacement of auth.conf for your webapp.
ok. What you said makes sense.