Hi. I'm trying to do the same thing--communicate from an applet to JBoss. I think I'm working through some of the same problems as you with respect to security. I don't currently understand what I need to do from my applet (note: I have username and password available to me within the applet) to login via jaas/get an initial context that "knows" about the security roles that my user has--as a result, I'm forced to set all my ejb method permissions to 'unchecked'.
As far as making the classes available to the applet, I just added the appropriate jars to my war and have them downloaded with the applet. Is there a reason you can't do that?