You have to add a login module that actually does authentication. The ClientLoginModule only propgates the caller identity to the transport layer for authentication of calls to the server.
What about the Subject? Is there anyway to syunchronize the Subject between the client and the server, other than performing the login in both places?
Is there exists a login module performing real user authentication, not like the ClientLoginModule? Is it working with standard JBoss or needs some extras?
And one more question.
Using the ClientLoginModule I've seen that server do not performs authentication when InitialContext.lookup() or InitialContext.list() methods are invoked. Is there any configuration parameters telling that these methods must throw exception for user with invalid username/password?
The JAAS login done on a client is decoupled from the server. If you obtain the Subject from the client side LoginContext, it will not have the same info as the server. The only way they are coupled is that the configured login modules will have to validate the same identity and proof of identity. You can use client/server oriented login modules that provide tighter coupling if you want.
The SRPLoginModule, LdapLoginModule, UserRolesLoginModule are example jboss login modules that can be used to perform client side authentication. There are others available from thirdparty sources as well.