I found the solution to my problem and I decided to write down the explanation in case someone else could ever need it :) Below I also cite a couple of links that helped me out.

First, I needed to understand the concrete problem I was trying to fix, find a precise definition. And this is it: "invoke secured EJBs from clients running in insecure servlets, doing the login programmatically (without a popup dialog)". More precisely, the servlet is the Cactus servlet and the client are JUnit test cases that test the local interfaces exposed by some EJBs.

To give you a little more context: I wrote a couple of EJBs with remote and local interfaces. I decided to make the EJBs secure by adding roles constraints for every method. I also wrote some JUnit test cases that run from Eclipse.

In the case of the *remote* interfaces, I can perfectly run the test cases from Eclipse. As my EJBs are secured, my test cases need to do a *JAAS login* before getting any reference to the home interfaces. This way, the client credentials are passed on to the servlet with every remote method invocation. This (the credentials attachment) is totally transparent for me. All I need to do is the JAAS client login in the test cases. I do that using a Callback handler and using the "client-login" domain to identify the security configuration. The "client-login" domain configuration corresponds to the "ClientLoginModule". This is defined in the file "auth.conf" file that I point to from the "java.security.auth.login.config" System property. It works fine: my test cases can invoke the methods on the remote EJBs deployed on the server.

Next, I wanted to unit test the local interfaces using Cactus. I simply packed everything in one .ear file, including the .war with the Cactus library and test cases and the .jar with the EJB deployment. I did NOT configure any security for the Cactus servlet. After all, all I want to do is to handle security at the EJB level. I execute the test cases from Eclipse (the cactus framework delegates the invocation to the servlet running on the server). On the server, my test cases are again doing the JAAS login using the CallbackHandler and the "client-login". It is IMPORTANT to notice that in this case, the configuration of the "client-login" domain is retrieved from the "default\conf\login-config.xml" file in the JBoss installation. It's a server thing! This is different from the first scenario, where the actual configuration of the domain is retrieved from the "auth.conf" file (see above).
And it works fine: although the Cactus servlet is not secured, my test cases can do the JAAS login silently before retrieving the home interfaces and after that the credentials are propagated with every method invocation on the EJBs.

The problem I posted a couple of days ago was related to the fact that I didn't know that in the two cases (execution of test cases inside/outside the container) the configuration of the login modules is read from different sources.

I hope the explanation can help someone else out there. I prefer not to post code fragments 'cause then it's more complicated to understand (I prefer text-based explanations that tell a story!).

References to check out:
-"Using J2EE security in web application" by Peter Doornbosch (http://www.luminis.nl/publications/websecurity.html)
-"JASS how to" By Scott Stark (Security forum at http://www.jboss.org)