FWIW, I am seeing the same problem, except w/ integrated Tomcat 4.0.*2*, and I am using UserRolesLoginModule. Also using FORM auth.
I deploy to JBoss 3.0/Jetty Beta - works great, the requested (protected) resource is returned. When I deploy same war and auth.conf to JBoss 3.0/Tomcat 4.0.2 Beta, I get a 403/access denied page after login (with correct user/pass).
BTW - it looks like BASIC auth is still broken in Tomcat 4.0.2?
BTW - this is the binary beta distro from SourceForge in both Jetty and Tomcat cases.
Also, I deployed this war to a standalone Tomcat 4.0.2 and it works just fine. Of course, it's using tomcat-users.xml instead of JAAS, but it doesn't seem like the authent. piece is what's broken in JBoss/Tomcat.