For the AS7 managament API security we are currently discussing how to re-use as much as possible of the already integrated PicketBox project.
One requirement that we have is that the security of the management API is not going to be running within an AS7 so it is not possible to depend on some services normally available at runtime.
At the moment looking at the login modules would it be possible where identified for these to be re-factored to make either overriding access to the server resources easier or even including some form of plug-in mechanism for that access?
The first module that has been identified as having an issue without the AS is the DatabaseServerLoginModule, this module depends on both JNDI and a deployed datasource. When running within the domain controller JCA will definately not be available and I doubt the availability of JNDI but a connection pool may be available so for this module we would be looking for a way to override how the connection is obtained.
The login modules are being redesigned as indicated in http://community.jboss.org/message/58243 so there is definitely a chance for changes like these.
I'll certainly keep this in mind when I start work on the DB login module.