Jaikiran,
Thanks for you response. No, I don't have ClientLoginModule in the "foo" policy, just DatabaseServerLoginModule. However, I do have ClientLoginModule alone in the "client-login" policy, and I have found I can make some progress if I authenticate on the "client-login" domain on the web app and the "foo" domain on the server side.
What is the proper way to set this up? The web client and EJB server are running in the same container and same server, so they share a login-config.xml. Should I just add ClientLoginModule to the foo stack?
Thanks for your help.
Dave