From the OC4J 10.1.3.1 release onwards, we now provide a fully supported login module that authenticates users against entries in a database table.
This is documented here in the J2EE Security Guide for 10.1.3.1: http://download-west.oracle.com/docs/cd/B32110_01/web.1013/b28957/loginmod.htm#sthref417
What the doc mentions, but doesn't show is that you can configure this login module as the security provider using Application Server Control and the Customer Login Module option. Granted, it'd be nice to have a more concise dialog to configure this specific user module, but you can still do it using by supplying the class name yourself and setting all the required properties to configure it.
Here's a screen shot of ASC that shows the configurartion screen with the basic set of required properties.
To reach this screen, click into the application you want to configure, click the Administration tab and then the Security Provider task.