This page explain how to integrate JCAPTCHA with the standard J2EE security model
A brillant article has been written by Anand Raman : See Create an anonymous authentication module:Use a CAPTCHA-based authentication module for J2EE Web applications
This is a great introduction on how to integrate JCAPTCHA with the standard J2EE security model.
On my point of view (MAG), it would have been better to use a JCAPTCHA service implementation rather than directly an engine in the token factory and the LoginModule, but this is not a big issue.
This is a common mistake on using JCAPTCHA. This means that the documentation is not clear about it : if someone read those lines and write a clear and understable english, please feel free to contribute.