Thank you for the hint!
Yes, this action is a part of standard MVC framework and is invoked by a secured servlet (FORM-based authentication).
I've posted my EJB and Web deployment descriptors in the Internet: http://www.chat.ru/~kazarena/dd.zip.
Could you please take a quick look to find out if there's anything in there, which is fine for Jboss 3.0.4, but doesn't work in Jboss 3.2.3?
Your answer explains why I'm getting a proper Principal in the first EJB, but tt's still a mistery to me, how I can get to EJB layer (which means: to pass the EJB security restrictions, defined in my ejb-jar.xml, check the roles), but get stuck inside EJB layer (when invoking the second bean) with security violation.
I would really appreciate it, if you could take a look at the descriptors.