I have read all of the Security FAQ, several times, to no avail.
Q3: "This also needs to be explained more..." I'd agree. And what does "propagating to the called component" even mean in the security context? It could fail for multiple reasons. It should be clarified.
Q7: followup Q, what does "user has authenticated to the container" mean?!
Q10: as mentioned, I'm setting the information into the InitialContext correctly, because I can use the org.jboss.security.auth.spi.UsersRolesLoginModule
Q4: I've updated my log4j config file as mentioned and don't see any extra logging, is there something additional I need to configure?