I've just discovered this bug.
I have two applications in JBoss. The first is lm.war, a web app. It contains users.properties and roles.properties files for the UsersRolesLoginModule.
I also have an application call cm.ear. It contains a working WS4EE EJB Web service, cm.jar. cm.jar also contains users.properties and roles.properties
When I try to access the secured web service, the UsersRolesLoginModule authenticates me against the users in lm.war, rather than those is cm.jar. Is this some kind of classpath error?
As a work around, I am defining an individual login module in conf/login-config.xml, and using unique filenames instead of just users.properties and roles.properties. However, this is not ideal.