Your EJB client is the problem. This is because it requires authentication first before it can authenticate itself. Either:
1. Make the client non-EJB.
2. Wrap the client EJB in a separate jar, with separate jboss.xml and ejb-jar.xml files, that do not specify any security domain. The EJB will then be able to authenticate, and any other resources in your app will still require authentication and authorisation. Assuming your app is an ear file, it might look something like:
/my-main-app.jar (with all EJB's, other resources requiring JAAS)
/my-authenticating-app.jar (with the EJB performing the authentication - this jar must have NO security domain)