I have implemented my own CallbackHandler and in jboss-service.xml have the following:
<!-- JAAS security manager and realm mapping --> <mbean code="org.jboss.security.plugins.JaasSecurityManagerService" name="jboss.security:service=JaasSecurityManager"> <attribute name="ServerMode">true</attribute> <attribute name="SecurityManagerClassName">org.jboss.security.plugins.JaasSecurityManager</attribute> <attribute name="DefaultUnauthenticatedPrincipal">anonymous</attribute> <attribute name="CallbackHandlerClassName"> com.security.auth.module.DbCallbackHandler </attribute> <attribute name="DefaultCacheTimeout">1800</attribute> <attribute name="DefaultCacheResolution">60</attribute> <attribute name="DeepCopySubjectMode">false</attribute> </mbean>