Welcome to the club. I've been grappling with much the same problem. I'm as far as being authenticated and authorized by the web app but I'm not by the EJBs. I've dissected the JAAS examples to get this far but man oh man, it is tough.

I was able to get a basic web based application working with security using the DatabaseServerLoginModule. However, I took a slightly different approach at the web layer. Instead of using the standard form based login as described in the specifications, I used a regular form to establish credentials (i.e. name/password) to a regular session bean that would contain all my session context information including authentication information. I also performed the first preliminary authentication through this bean as well by initiating a login context directly to the DatabaseServerLoginModule. This will give back immediate results to the user as to whether or not they are authenticated. From there I create a "client-login" context using the ClientLoginModule. This is kept in the session bean for all subsequent calls to the EJB container. Any time I make a call to the EJB container I use the ClientLoginModule context. The EJB container uses the same DatabaseServerLoginModule originally used to perform the initial authentication on the web layer. This provides some additional benefits because I can keep the user's context all in one place and easily "re-authenticate" the user's context via the session bean to "switch" between users. This may not solve your problem, but gives a different perspective on authenticating with JBoss in a web based environment. Hope this helps.

Have you tried the "jass how to" examples? They include a web layer. I have gotten them to run successfully, although I'm still in the process of working through how everything fits together.