The ClientLoginModule can not verify the password, so it won't throw an exception for a "bad password".
The username/password will get verified on your first access to a secured EJB (at which time whatever LoginModule you configured for that will get executed), at that time you can get a LoginException (although it will be encapsulated within a RemoteException)
I think a LoginModule should perform an authentication. The JAAS dev guide states:
The login method should:
1. Determine whether or not this LoginModule should be ignored. (...)
2. Call the CallbackHandler handle method if user interaction is required.
3. Perform the authentication.
4. Store the authentication result (success or failure).
5. If authentication succeeded, save any relevant state information that may be needed by the commit method.
6. Return true if authentication succeeds, or throw a LoginException such as FailedLoginException if authentication fails.
Since the ClientLoginModule simply stores the username and password and no authentication is performed. Does this not break the JAAS specs?
On the other hand, maybe I should add my server-side LoginModule in the client auth.conf file to perform the authentication. The job of authenticating at LoginContext.login() will be handled by the LdapLoginModule and the method call security will be handled by the ClientLoginModule.
JAAS dev guide:
I just found a nice note in the paid documentation about that. I will post it here because I think any divergence from the JAAS specs should be documented in the source code not only in paid documentation.
Note that this login module does not perform any authentication. It merely copies the login
information provided to it into the JBoss server EJB invocation layer for subsequent
authentication on the server. If you need to perform client-side authentication of users you
would need to configure another login module in addition to the ClientLoginModule.
conclusion: It's not enough to buy the doco you have to read it too!