that may not be necessary. Fedora could just be redefining the values of the various properties that inform the actions of the default Configuration impl.
Sorry that my last suggestion didn't pan out. If you are willing to try another..
if you can find a way to call Configuration.getConfiguration() within your appserver process; either via a debugger, or from another application deployed in your appserver (while the fedora app is deployed and with the security manager disabled), then you will be able to see what configuration is in effect, and what appConfigurationEntries are contained within it
you can look in .$JAVA_HOME/jre/lib/security/java.security to find the default Configuration impl
#
# Class to instantiate as the javax.security.auth.login.Configuration
# provider.
#
login.configuration.provider=com.sun.security.auth.login.ConfigFile
and Glassfish sets if login.conf file in domain.xml (via the corresponding system property
-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf
[Message sent by forum member 'monzillo' (ronald.monzillo_at_sun.com)]
http://forums.java.net/jive/thread.jspa?messageID=386446