Turns out my problem had to do with X11 permissions, since I was trying to launch an xterm, which needed to open a window on the X server.
So actually my problem had nothing to do with glassfish, but I'm glad I posted it anyway, because your answer was very interesting. Having the web server process communicate to a separate daemon that spawns the legacy program has other advantages - for instance I can have the daemon running as a different user and with different permissions, so that the programs I exec don't run with the identity of the glassfish server. Ultimately II need a way to map the identity and credentials that come in with the web service request into a unix userid that the legacy program runs under. This is going to take some thought to get the architecture right.
Thanks for the ideas!
[Message sent by forum member 'duncant' (duncant)]
http://forums.java.net/jive/thread.jspa?messageID=255967