How would the LmProfileExt be used, from the base class that subclass may implement? This is pretty much just a particular implementation of a CallbackHandler with a map type Callback so you could just use that and not require any specific contract be implemented by the login module. Instead, a CallbackHandler would be specified along with one or more Callback instances to populate. The problem is how to map the value into the subject.
The additional queries seem fine.
I'd probably just put it on the subclasses that implement it, since some login modules may not have extended properties.
This can be JBoss specific, how about SecurityAssociation.getExtendedSubject() which returns ExtendedSubject which has the gets for the profile and "getSubject" for the normal subject?
The SecurityAssociation is fragile to extend so I would be relucant to do that until we look further into what is required to integration with security frameworks like saml that also allow for extended subject attributes. Its not clear how this fits into the jaas authentication layer.