It is possible to define external authenticators as described in:
Step 2 of the configuration describes how to enable this by using an alternative configClass in the jbossweb-tomcat55.sar/server.xml:
<!-- UNCOMMENT TO ENABLE CUSTOMIZATION OF TOMCAT AUTHENTICATORS
autoDeploy="false" deployOnStartup="false" deployXML="false"
The problem is that the org.jboss.web.tomcat.security.config.JBossContextConfig class is not included in the build. At least not in the downloadable 4.0.4.CR2 release.
I had to do a custom build to enable this; the class is specifically commented out in the tomcat build scripts.