As discussed on the Jetspeed developers mailinglist (thread starts with: http://nagoya.apache.org/eyebrowse/ReadMsg?listNamefirstname.lastname@example.org&msgNo=14605) the new behaviour of Tomcat 5 to set the ContextClassLoader in the JAASRealm to the server classloader prevents defining LoginModules within the context of an web app.
As a quick solution to this problem the Tomcat 5 JAASRealm is going to be patched to revert back to the old Tomcat 4 handling.
The preferred solution is that the Tomcat Team would do this themselves or provide it as an option. Someone should start discussing this with them....
I'll provide a patch implementing the quick fix which will depend on the user property catalina.version.major=5 to be enforced upon the catalina server: when this condition is true a patched version of the Tomcat 5.0.24 JAASRealm.java revision 1.6 will be compiled into the $Tomcat/server/classes directory.