Authentication is done with LoginModules in JBoss. If you just want to specify users in a flatfile, you can use this as a guide:
The UsersRolesLoginModule allows you to specify users, passwords, and their roles, and tie it into an application authentication mechanism.
I believe those files are stored at:
you authentication configurations happen in multiple files:
$JBOSS_HOME/server/[serverconfig]/conf/login-config.xml --> This specifies your loginModule configurations, and which application uses which modules
$WEBAPP_HOME/WEB-INF/web.xml --> As normal, this specifies your roles and which servlets are protected
$WEBAPP_HOME/WEB-INF/jboss-web.xml --> This links your web application to the application-policy stated in the login-config.xml