To tunnel RMI calls over HTTP, check out this link:
But if your application has sensitive data and the RMI traffic needs to be encrypted, well, that's not good enough. I have posted a question in this forum to find out if it is possible to configure JBoss to tunnel RMI calls
Barring a built-in solution from JBoss, you can stream Serializable objects to and from the applet over an HTTP or HTTPS URLConnection to a server-side servlet or JSP page. From there you can make EJB calls or do whatever you need to do.
Another option to consider is web services.