A login module can call any resource it wants. The target ejb cannot be in the same security-domain as the login module.
I solved defining two different login modules extending the base one. The first, which I will deploy into the web tier server, is going to ask authentications service to EJBs installed in the ejb tier server. The second, which I will deploy in the EJB server will access directly to the DB.
But I don't understand the following
The target ejb cannot be in the same security-domain as the login module.
I defined the same security-domain for the Login Module and for the authentication EJB. It works!
The two security-domain settings are not in the same server and therefore are really not the same.