I've never done this, so I'm no expert, but I think what you do is have a single security domain that uses both modules and use the "password-stacking" option.
Hopefully somebody else can offer you more definitive help.
I think you are on the right track cuoz. I would add that you may need to modify the flag attribute of login-module element in login-config to not make both modules required. Maybe, make one sufficient or something. Read http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html to see what fits.