HTTP 403 will occur when the authentication suceeded but none of the principals/groups in the subject are authorized to access the requested resource.
Please check whether the group/principal mappings in sun-web.xml are same as the ones being set by your LoginModule in the commitAuthentication method.
[Message sent by forum member 'nasradu8' (Sudarsan.Sridhar_at_sun.com)]
http://forums.java.net/jive/thread.jspa?messageID=391168