Marcus,
this is what I plan to do.
1) Security subsystem domain model settings
This needs to install the Picketbox configuration. Atleast 1 or more ApplicationPolicy instances in the server.
2) Deployment of war files
In the DeploymentWarProcessor where the web context is created. Something like:
JBossWebRealm jbossRealm = new JBossWebRealm();
AuthenticationManager authMgr = SecurityFactory.getAuthenticationManager( securityDomain );
jbossRealm.setAuthenticationManager( authMgr );
//Similarly authorization manager too is injected into jbossrealm
webContext.setRealm( jbossRealm );