We have setup a seperate tomcat installation
How does Tomcat's security system interface with JBoss' in your environment?
Also you may want to read security chapter of server guide at http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html
Well I have a custom login module (same) on both the tomcat side (common/lib) and the jboss side (lib). Tomcat points to the login conf file through the java option -Djava.security.auth.login.config and to jboss application server -Djava.naming.provider.url. On the tomcat login conf I have the org.jboss.security.ClientLoginModule required so to chain the authentication to jboss with the option of multi-threaded = "true and password-stacking = "useFirstPass". As I said before if multi-threaded is set to false it works perfectly, set to true it works intermittently.
I was trying to get you to do some research so you understand your situation better and then you could see what you were doing wrong. In any case...
Your problem is that ClientLoginModule only passes security data to JBoss invocation within the current thread. However, Tomcat uses thread pools to handle requests. So one request might work fine, but the other would not. When Tomcat is embedded in JBoss, a valve is added to pipeline that ensures the security data is present on each request thread. If you want to use Tomcat outside of JBoss, you need to make sure that this valve is used. Also, since Tomcat is not using JBossSecurityMgrRealm (or its newer relative) the security data does not get flushed in JBoss when HttpSession is invalidated.
Does this help? cgriffith