Where to start?
Security context is term referring to security-related data (i.e. Principals, roles) that are used for invocation of EJBs (and other technologies are using same term as well). How it is implemented, what it contains and whether you actually have some SecurityContext class is container specific.
As per EJB spec.
Accessing resource managers and enterprise beans is disallowed in the session bean methods
for which the container does not have a meaningful transaction context and/or client security.
(similar applies to MDB)
Therefore in methods where it is meaningful to have a security context, security identity is either propagated from caller (even from other technologies) or if there is no identity to propagate some default one is used.
So if user does not authenticate default "security context" is used and when you ask for caller identity vendor specific representation of the UNAUTHENTICATED identity is returned (guest, anonymous or something similar).
Further you can use @RunAs annotation (or run-as in DD) to specify identity that will be passed to other components.