I would like to generate a token on successful password login, and then be able to use that token to access EJBs.

I found this relatively straightforward to implement for a fat client: the client uses a LoginModule that generates a token, and then shares that token with ClientLoginModule, which ensures that it is sent with each subsequent EJB call. The EJBs are associated with a security domain whose LoginModule validates the token.

I have a problem trying to do something similar with web applications. It seems that j_security_check/j_password will be passed as the credential to the EJBs. Because the EJBs' LoginModule is expecting a token, authentication fails.
The password seems to be placed on the session during login, within a JBossGenericPrincipal. It gets picked up by the SecurityInterceptor on EJB calls and passed to the security manager for authentication.

Is there a straightforward way to get JBoss to remember my token instead of the password?

Thanks,
Rob.