Hi,
I don't know whether login works for JBoss by simply implementing "javax.security.auth.spi.LoginModule". I think your own login modules should plug in the JBoss security framework ("JBossSX"), which is done by subclassing "org.jboss.security.auth.spi.AbstractServerLoginModule".
Your own approach seems to build a custom security framework which does not play together with JBoss ;-).
The failing "@RolesAllowed" are a symptom of this: take a look at my last post, the method "getRoleSets" returns a list of user roles which are mapped against those RolesAllowed. But the concept of roles is missing in your LoginModule implementation, so that JBoss cannot do anything about it.
Hope this helps
Wolfgang