This way I wouldn't be able to use declarative security for EJBs or web resources though, right? Neither would I be able to use programmatic security using getCallerPrincipal() or getUserPrincipal() for that matter, right?
Correct.
I was thinking of having an Interface with methods I would need in my application related to that functionality, such as createUser(), changePassword(), and then I would have different implementations of this interface for different App Servers and have an Abstract Factory return the implementation of the app server that my application would be currently using based on a parameter. Would you say that was a good idea?
That would work, but it sounds like a lot of work. Are you sure you can't use standard APIs like JAAS or JNDI/LDAP coupled with web app or EJB security?