Please see thread http://www.jboss.com/index.html?module=bb&op=viewtopic&t=79268
The problem is like this. You have an EJB that can log users into your realm. This is usefull to handle complex logins that are not handled by simply accessing an database directly. And you also have a custom LoginModule (say login module A) that uses this EJB to perform the login. However, when login module A accesses the secured EJB, it needs to authenticate as well. If your login module A is also the login module used to secure your EJB, then a cycle develops.
If you have another login module B, that is used to secure your EJB, then it must not access your EJB to perform the login.
I have yet to solve this problem, but if I do, I will reply on forum #79268.