Thank you Anil for your informations.

In the same thread I posted an easy example application, that demonstrates the problem...

The missing propagation is related to the login-request itself...

It's still serious for me, because the application I want to migrate, is invalidating the http session, if the ejb context gives me an anonymous caller...