Hi SB,
jbpm is a workflow engine, the identity management features are very limited and not suited for production in my opinion.
You use the EnvironmentImpl.setAuthenticatedUserId() to tell the Engine which user is performing actions.
Getting the authenticated user, password management etc. is not in the scope of jbpm, this is the job of other frameworks like spring-security, seam or JAAS...