AFAIK the LoginContext is only created when it is needed for the first time. So unless you start declaring some security constraints on your webapp you will never know whether it works or not.
I have it working. It's critical to use exactly the right format in jboss.xml. It must be:
not anything with java:/jaas or anything like that.
I wrote my own LoginModule from scratch and it works fine. Is there any reason why I shouldn't use my own LoginModule instead of subclassing some from JBoss? I figured out how to set up the Roles group and the CallerPrincipal group and all the values seem to get passed around correctly.