OK, it seems I managed to find it myself :)
Just for the record, and in case I got something wrong:
I have an AppCallbackHandler class (found it somewhere on the web :)) which supplies the name and password when required from the LoginContext. The LoginContext on the client uses the ClientLoginModule, and on the server the DatabaseServerLoginModule.
Another point which got me a bit confused in the beginning: the Roles table will have 2 (or possibly more?) entries for each principal: one with RoleGroup = Roles (its Role value is what should match the security setting in ejb-jar.xml) and one with RoleGroup = CallerPrincipal (its Role value being what is returned from the EJB when context.getCallerPrincipal() is called).
If this is not really how it should be, please let me know.
the Roles table could have multiple entries.
In my case I have the following roles...
An admin will have all 3 roles (thus 4 entries in the roles table)
a Manager will have 3 entries (2 roles plus cllerPrincipal)
and a user will have 2.
So there are possibly n+1 entries in the table where n=# of possible roles.
Just one more question:
From my tests, it seems that all JSP pages that access an EJB have to create a LoginContext and call login() first.
Is it possible to only do that once for each session? So that you only call it at login, and then all subsequent calls from that session have the correct credentials associated with them?
The problem is, your JSPs are shared (by all sessions). So before calling JBoss in a JSP, you need to update your credentials, otherwise your call is done with whatever user credentials were set the first time.
I store the credentials in the HttpSession, and in every servlet call which needs to call JBoss I retrieve the credentials and perform the JBoss client-side login. Of course you can encapsulate this behaviour very nicely in some class called JBossHandle or something.
You need to do this if you're using a standalone Tomcat. If you use the embedded Jboss/Tomcat I think this mechanism is taken care of for you.