I gave this some thought after my initial post. I think I can understand why the ClientAuthModule wouldn't work for incoming requests since the Servlet Container isn't the container making the request. Instead it is receiving it, thus the only option is the ServerAuthModule.
That is fine, in the validateRequest() method then there is a ClientSubject and a ServerSubject. The ClientSubject is always empty and non-null, and the ServerSubject is always null. This is where I think there is a problem. Why is the ServerSubject null? My hope was that this would be non-null, and I could populate it with the correct credentials. Then when the container executes the J2EE permissions it would use these credentials.
Instead, it is null, and creating and setting a Subject to that object reference doesn't seem to be picked up by the container.
[Message sent by forum member 'athrawn17' (athrawn17)]
http://forums.java.net/jive/thread.jspa?messageID=258244