In case somebody is running into the same issues as I do. In order to get the Subject propagated from the web layer to ejb layer I need to call WebAuthentication object (provided by JBoss tomcat service lib) explicitely using my custom security realm. I call this from inside an authenticator component which is not setup with an authentication method(this method is only used if no jaasConfigName is provided on security:identity component) and is called explicitely from my pages.xml setup.
The only thing not very clean about this approach is I need to call identity.authenticate() and add roles to the identity manually in addition to calling WebAuthentication.login() to ensure the subject is propagated to the Datasource pooling ByContainer setup as supported by CallerIdentityLoginModule.
Both WebAuthentication and identity.authenticate() execute the same loginmodule.
As a proposed enhancement Seam could provide better level of integration with jboss subject propagation in a future release.
If anybody is interested in getting more details I will gladly provide detailed info on how I implemented this.
We have an outstanding JIRA issue for better integration of Seam with container security in JBoss AS. If you could provide the details of what you did to implement this it would be greatly appreciated. Here's the link to the issue: