> do I have to authenticate separately for the Applet?
short answer: Because it uses a separate connection.
long answer: What did you expect? You secure the html file by basic authentication, that is: http-based security. You access an EJB over RMI.... and then.... you expect the bean to figure out the call is started from an applet that is downloaded from a secured page???