No there isn't.
By default you specify a user/password on the data source deployment then
anybody in the container can use it.
You can setup a datasource to use the CallerIdentityLoginModule
this would pass the user/password from the ejb/servlet through to the database.
It is on my TODO list to containerize the connection factory proxies
and the objects they create such that you can add custom interceptors like
this security requirement.
The simplest way to do with the current architecture would be to
modify the CachedConnectionManager when it is told to register a connection
for an application. But this is not really the purpose of this service.