You need to use the PooledInvoker enhancements in 4.0.4RC1 to have access to the client cert for security decisions in the ejb container.
SRP could be used to create a similar custom ssl type of arrangement as well. Since this is on top of the transport layer it can be integrated with any of the existing detached invokers.
I finally got approval from the client.
I checked out the PooledInvoker, and I think I will try that approach. Other than providing custom socket factories, do I need to do anything special for a server side login module to access the client cert as a credential?
What kind of configuration would be required on the client?
Will the ClientLoginModule still be necessary?