http://www.redhat.com/docs/manuals/jboss/jboss-eap-4.2/doc/Server_Configuration_Guide/J2EE_Declarative_Security_Overview-Security_Identity.html if no explicit security-identity is set in ejb-jar on a bean, then propagation of the caller identity should be the default.
That is not currently the case, if no security-identity is set then useCallerIdentity remains false. I believe the bug is in org.jboss.ejb.plugins.SecurityInterceptor#setContainer and that adding the follwing at line 160 (on the JBossAS 5.1.0.GA version) should solve the problem:
if (secMetaData == null)
this.isUseCallerIdentity = true;
Could be that this bug was introduced with the fix for
JBAS-5011, for some reason I can't get fisheye to work right now to check it out.