I would recommend that you use standard FORM authentication with j_security_check. If you add your struts action in the protected resources, your authentication page will be displayed. Make sure you have added both ClientLoginModule and your own LoginModule in the application policy under the login-config.xml for your security realm. If you use this method, the entire login context stuff is taken care of automatically by the container. I never had to write anything.

We did write a custom Form authenticator, Realms etc. and it was not very hard to set up, but we had to recompile some classes in JBoss because of package visibility issues, which is not a critic by the way.

Also make sure your LoginModule properly adds the roles, principals and the likes to your subject in the commit methods.

Make sure your security realm is properly configured in your tomcat server.xml file. You will need to add the realm configuration in there (use the default JBossSecurityMgrRealm) and put a jboss-web.xml with the name of your JBoss realm in there (the same name that was defined in your login-config.xml for application policy).

Also try and configure the server.xml in tomcat to use the jboss class loader. We had some issues where some classes where not Equal in your callbackhandler because of different classloaders. There is a parameter out there that you can set to true.

If not, have a look into the source of:
org.jboss.web.tomcat.security.FormAuthenticator and look how they set the principal returned by the realm (an isntance of JBossGenericPrincipal) in the session using notes.

Then look at the source of:
org.jboss.web.tomcat.security.SecurityAssociationValve

If I remember right, all you have to do with your principal and the likes are to invoke the SecurityAssociationActions method like to make sure the credentials are properly associated
SecurityAssociationActions.setPrincipalInfo(principal.getAuthPrincipal(),
principal.getCredentials(), principal.getSubject());

Hope this helps !