This week's book giveaway is in the OCPJP forum. We're giving away four copies of OCA/OCP Java SE 7 Programmer I & II Study Guide and have Kathy Sierra & Bert Bates on-line! See this thread for details.
JAAS' security propagation between containers is not well specified actually. This usually is done using a ThreadLocal class wich propagates the authenticated principal to the EJB's stub on a specific container manner. Jboss client LoginModules uses the class org.jboss.security.SecurityAssociation to make this association. So, in your web LoginModule you have to set your authenticated principal to this class, like the example: