EJB do not actually care about the user ID and password. All they care about is the roles that user has. Usually, you have to identify yourself with your username and password through another security infrastucture (LDAP, etc) and then once you are "logged in" you have a Principal that represents you. Usually, principals are created by the application server using JAAS or other mechanism. The bottom line is that as far as EJBs are concerned, they don't care about your username and password.