It's not the responsibility of the client to do that. See section 21.4 (Security - Deployer's responsibilities) and section 21.7 (Security - System Administrator's responsibilities) of the EJb 2.0 specification.
Basically, roles, groups, principals, etc, are configured when an enterprise application is deployed (or sometimes at runtime), the client doesn't have to do anything, he just keeps invoking methods and the EJB container will look up if the given user is allowed to invoke it.
I feel i am not able two explain my question earlier . suppose two client make request , A admin B clerk
so in this case what information from client part has been sent to the server ,so that server can determine which one is A and which one is B. once A and B are identified then server can determine which one admin and who is clerk