certRealm in login.conf login module class is never loaded
I have followed what little instructions exist for configuring client cert authentication, but the class specified in the login.conf is never loaded. I have tried with 2.1 and 3.1 with no difference. I have defined a static initializer in the class, so that is how I know it is not being loaded. Every time I hit the protected URL, the server responds with a 400. If I remove the protection in the web.xml, the file retrieves just fine, but when I set CLIENT_CERT again, wham, 400, with NO exceptions of any kind. I have set FINEST on the logging, and nothing shows up about the login module class, but it does show that the CertificateRealm loads succesfully, but there is not any indication that it is loading the login module specified by its jass-context property thru the login.conf.
If anyone has made this work, please tell me HOW.