The CallerIdentityLoginModule as described here sounds its what you want. If its not provide the specifics of the identity mapping your looking for.
Ahh, I see now. The RA stuff just has a realm name, and everything else goes in login-config.
What I had in mind was a login module that mapped the caller userid/password to another pair, possibly controlled by a properties file the way the server-side EJB login module works.
I'll check the source code to see if there is one. If not, it should be simple enough to supply.
Thanks for the reply.