Security domains based on property files are the simplest of all login modules we provide. Any serious real world application would actually use DBs or LDAP servers as the backend for authentication.
I don't see a problem of requiring the property file to be included in the application so it's available in its classpath. Remember web-console used to do just that.