as I understand, an application client is authenticated not until the next EJB call. But http://www.jboss.org/community/wiki/SecurityFAQ Q3 hints "This example is for a scenario where a calling client is using the LoginContext directly and requires feedback from the LoginContext.login() method if authentication using the users username and password was successful."
But this does not work for me with JBoss 4.3, LoginContext.login() returns immediately without going to the server. How can you authenticate a client without doing an EJB call? Ideally this should return a token you can use for the next EJB call.