Yes, it's a Java EE platform requirement. It's one of the services that distinguishes an Application Client component from a plain Java SE (stand-alone) client. Many plain Java SE clients access Remote EJB components, but there is no portable programmatic authentication API so such clients either can't access protected Remote EJB components or they are forced to use a vendor-specific authentication API.
[Message sent by forum member 'ksak']
http://forums.java.net/jive/thread.jspa?messageID=393761