> When does the container call the server side LoginModule?
The simple answer :) is that it is called when the security interceptor checks the validity of the supplied credentials in the method invocation. It calls
isValid() on the security manager (JAASSecurityManager)
which creates a login context and calls login on it.
Thereafter it's up to JAAS to invoke your configured login modules. So if you have done a client login using the ClientLoginModule this will change the principal as you say. If there is no cached information for this principal then you should see another call on your login module.