I don't know how this could have been working in 3.2.3. You cannot use a preceeding login module to provide an authenticated context to secured resources for subsequent login modules declared in the same configuration. JAAS authentication does not work that way. The overall collection of login modules has to execute in order for the to be a security context establish for use for ejb calls. The looping behavior is what I would expect.
There are two execution modes for the given login module stack:
1) an anonymous call is made and the unauthenticatedIdentity mode of the AnonLoginModule succeeds and the DesktopJBossLoginModule is never called.
2) an call with a security context is made and the AnonLoginModule fails and the DesktopJBossLoginModule is executed. A call to an unchecked ejb still needs an authentication context. The only way this can work is by deploying the ejb used by the DesktopJBossLoginModule under a seperate security domain that allows anyone to access it. The jboss.xml descriptor allows for this so check the jboss_3_2.dtd for the syntax.
You can file a bug report at sourceforge if you have a testcase that shows the looping on 3.2.5 but that works on 3.2.3 here:
Thanks Scott for the response. I was not aware that one could create multiple security domains in the same deployable jar file.