I think you misunderstand how a user authenticates in a JEE application.
JACC is not necessary for your scenario, and, unless you have requirements that force you to do complicated authentication logic, neither is JAAS.
Instead, if you are fronting your EJBs with a web application, you need to make the user log in from the web tier using the Servlet specification (do a search on "j_security_check" to get you pointed in the right direction).
Or, if you're fronting your EJBs with an application client, then it does the login for you. See the JEE specification section on application clients.
Once your user has authenticated using these standard methods (which work in either Glassfish or JBoss or anything else) and is known to the container, then you use the container's facilities for assigning him to roles. Then whenever a call is made to a protected EJB, the container can enforce the required security.
I hope this helps.
Best,
Laird
[Message sent by forum member 'ljnelson' (ljnelson)]
http://forums.java.net/jive/thread.jspa?messageID=293554