I figured this out in the end myself. There was no wrong settings etc on the client side. But when setting up the module in jboss's standalone.xml, the cache-type was set.
If cache-type is removed from the security-domain section, the module will be called on every request.
<security-domain name="example" cache-type="default">
<authentication>
<login-module code="com.example.loginModule" flag="required"/>
</authentication>
</security-domain>
Hope this might help someone else.