Almost. If you wanted to design this in accord with Sun's
J2EE programming model, then this is how you would do it. There are certainly other design options.
The JAAS-related code is for security. It shouldn't be creating domain/business object as a result. Basically, all you need is a signal from the login module, 0 or 1, yes or no, good or bad. If there is indeed other security related info needed, then this gets passed back to Business tier. Ideally, your "user" object has already been created. It just needs to be authenticated and authorized.
Aside, JAAS is typically for distributed, enterprise systems, i.e. big boys, built with enterprise-class application servers, e.g. Websphere, Weblogic, etc. These systems have the heavy security requirements which JAAS was designed to address.