I do exactly that in my applications running on JBoss AS.
Here's what I do to access the HttpServletRequest from within the login module:
HttpServletRequest request = (HttpServletRequest) PolicyContext.getContext(HttpServletRequest.class.getName());
Then I get the session, extract the captcha and validate it against the request parameter from the screen. After I authenticate the user, I remove the captcha parameter from the session. This works fine for me.
Note that the login module can also be activated by EJB calls after the user is already authenticated. In that case, the captcha parameter won't be in the session, of course. So you should check it.