I am confused on how stateful and stateless bean behave under security context.
They both behave the same.
If user needs to be authenticated before they can use these method, do we need to change this to stateful session bean
Nope.
If user's information is also needed while creating bid, would it be better to change the bean to stateful session bean.
Noope! Secure your bean (@RolesAllowed) and then use the getCallerPrincipal()/isCallerInRole() methods to get the userID/Roles and then retrieve whatever information you need about the user.
Normally, controller does the authentication, and the security context is propagated to the ejb classes right
Once you authenticate against the container (web/ejb) the security context is propogated to the
ejb classes by the 'container'.
a word to the wise: reading more about the different types of EJBs (and their applicability when solving a business problem) will hold you in good stead.
Unthinking respect for authority is the greatest enemy of truth. -Albert Einstein, physicist, Nobel laureate (1879-1955)