the invocation of the ejb will occur over the RMI/IIOP protocol and your client side ORB must be capable of injecting the necessary security information in the outgoing protocol messages. The following link describes how to configure a standalone client for v3.
https://glassfish.dev.java.net/javaee5/ejb/EJB_FAQ.html#StandaloneRemoteEJB
Once you have setup your client, it should receive and interpret security policy info obtained with the object reference. This policy info should cause your client to use a callback handler to solicit a username and password from its user; which it will then send with the request.
Hopefully following the instructions in the FAQ should be sufficient. if your client doesn't pop up a username/password callback handler, it may mean the default callback handler is not compatible with your client environment, or that the security policy associated with your ejb needs to be explicitly defined.
[Message sent by forum member 'monzillo' (ronald.monzillo_at_sun.com)]
http://forums.java.net/jive/thread.jspa?messageID=384141