In Developers Guide, Security Framework, Architecture (section)
It is mentioned that ProxyLoginModule must be "available from the system classloader". This does not seem correct. The LoginContext class calls Class.forName(<module class>, true, <context class loader>) to load the login module classes. When the context loader is null Class.forName() delegates to the loader of the current class, which in the case of LoginContext is the boot loader. So if we have ProxyLoginModule on the system classpath it will be bypassed.
In equinox we can get away with this because equinox sets a context class loader of it's own, which delegates to the system loader. I suspect on Felix this will not work.