There is no way to call an ejb secured by the same security domain as the login module short of writing a new SecurityInterceptor that looks to a run-as role or other token before deciding to do authentication. It does not make sense for this relationship to exist in my view as there is no differentiation between callers of an ejb. A login module has no special role to do so unless a seperate security domain or interceptor is used to provide this.
Yeah I agree, after much consideration. I just thought it would be cool to have a LoginModule that asked an EJB to do the login. However, I have changed my LM design to access DB directly.