I to have come across the same problem. Fortunately, I'm not being pressed to find a solution.
At first glance, you could create a wrapper datasource around the true datasource and delegate all calls to the true datasource. For the getConnection, you can then do whatever work is needed to decrypt the password in the wrapper.
A bit of a hack, but should work.
I have similar situation where I need to encrypt my password in oracle_ds.xml. I was searching in the forum for answer but I could not find a clear answer.
So I tried this and it worked. It may be a solution to what you are looking for( if you have not already found one :-) ), but you need to take care of decrypting your encrypted passwords in application.
Here is what worked for me:
1) Leave username and password fileds in
2) You can still get a datasource by looking up what ever JNDI name you bind it to, in your applications.
3)At the time of creating a connection from the data source used the datasource.getConnection(user,pass) method.
4)Since your application is passing in the parameters it can decrypt the encrypted passwords and pass them.