1.
a) Security information
I haven't been able to find anything concrete in the specifications. However, if you consider the chain of events that leads to setSessionContext being called on a stateful session bean, then bear in mind that it is a client create call on the bean home that leads to setSessionContext being called, not a call on the bean component itself.
So, any client can create the bean but the execution of business methods may depend on the identity of the client. This makes sense to me, at least...
b) Transaction reference
In the lines of the attempt at answering 2, see below!
2. See page 76, section 7.5.7 of the
EJB 2.0 spec (the only one I got available at the moment).
The last section on the page says that "The ejbCreate or ejbRemove methods are not controlled by a transaction attribute because handling rollbacks in these methods would greatly complicate the session instance's state diagram."
To me, it seems like a design choice. Perhaps also motivated by the wish to keep ejbCreate more focused on its intended purpose, but this is just speculation on my part.
Hope it is of any help!