If you are using standard j2ee security to log into your web application, then the identity of the authenticated user (principal) should be propagated from the web layer to the ejb layer automatically.
If your web application is secured using other ways, you can still log in programmatically against the ejb layer from within you code, using the ProgrammaticLogin class. But then you will need the user password.
[Message sent by forum member 'ewernli' (ewernli)]
http://forums.java.net/jive/thread.jspa?messageID=274990