I wrote a custom login module and configured it at login-config.xml as follows:
In a second step I wrote a simple JSF application that performs the login using HttpServletRequest.login() that works very well.
Finally I used HttpServletRequest.getUserPrincipal() to retrieve the custom principal created during the login process.
On JBoss I'll just get a JBoss internal org.jboss.security.SimplePrincipal and I have to use PolicyContext.getContext("javax.security.auth.Subject.container") to get the desired principal.
The custom login module implements javax.security.auth.spi.LoginModule and is not derived from org.jboss.security.auth.spi.UsernamePasswordLoginModule since it should work on any JavaEE Container.
As far as I understood the specification the element <module-option name="principalClass"> should be used to achieve this behavior.