Just found that it does not work at all with a policy in jboss-app.xml. Apparently it is used to authenticate accesses to the ejb module even though they come from an already authenticated web application.
My new and improved question is thus;
Is it at all possible to two web modules in one ear using two different policies?
Yes, individual web applications can have different security domains.
The scenario you describe in your usecase (two web modules bundled in an ear behaving wierdly wrt different security domains) needs to be tested on our side, to see if there is any bug.
You can expedite the investigation with a sample test application that you can attach to the JIRA issue, that demonstrates the issues you have.