Once the user (web tier) has been authenticated via JAAS, the client can call ejbs securely. The authentication is propagated to the ejb upon method invocation.
You should supply different configurations for the web and EJB tiers.
In the web.xml you specify the the authentication method and security constraints for your pages.
In the EJB deployment descriptor (or annotations ) you specify the security roles allowed for method invocations.
They share the same authentication but the configuration is different.