The only issue is securing the ejb with the DatabaseLoginModule. Clearly there must be some minimal set of user/roles to allow access to the entity beans modifying the DatabaseLoginModule tables. The only other issue with the scenario you describe is ensuring the authentication cache is flushed when the database roles are changed. It that is needed see:
Scott, I thank you very much for your help on this issue!! Your responses on this forum are one of the main reasons I have been able to create a successful jboss application. I'm sure many others are in this boat too...
Security was so easy to set up this way, I almost feel dirty. :)
In case anyone wants to know, I'm running only two security entity beans: "Role" and "Principal". I'm using CMR to set up a many to many relationship between them, so there is a "Role_Principal" table in the middle.
The principalQuery runs off of the "Principal" table.
The rolesQuery runs off of the middle "Role_Principal" table.
I just set up a simple session bean to allow creation/changing of users and roles, and everything is working sweetly. Initially, as Scott mentioned, you have to create an administrative account manually. I just set up a quick SQL query to create a password changer account that my users can run on install.