I have following client code to look up for an entity bean:
public class Test
{
EJBHome home = null;
try
{
Context initial = new InitialContext();
Object objref = initial.lookup("AuditHome");
Object obj = PortableRemoteObject.narrow(objref,"AuditHome.class" );
home = (EJBHome)obj;
Audit a = home.create();
}
catch(Exception e)
{
e.printStackTrace();
}
}

where "AuditHome" is the home interface of AuditBean bound with JNDI using ejb-jar.xml and jboss.xml.
We have security roles defined in assembly-descriptor to restrict the access to AuditBean.
How do I pass on the user name and credentials from client so that he can be given access to AuditBean.
Rather, how would I restrict an user from accessing AuditBean.