The appclient container collects the caller credentials (e.g. username and password) and uses them to pass
a caller identity and an corresponding authenticator (i.e.. a proof of identity) to the ejb application container. It is the ejb application container, that authenticates (i.e. verifies) the proof of identity received with the invocation. In caller propagation scenarios, an invoking container sends an assertion of caller identity without a corresponding authenticator, and the receiving container "authenticates" the invocation by determining whether the source of the request (i.e., the invoking container) is authorized to assert the propagated identity.
[Message sent by forum member 'monzillo']
http://forums.java.net/jive/thread.jspa?messageID=397865