Standard ejb-jar.xml allows you to set security roles per method, just leave the one that calculates the identity as < unchecked/>.
You can do client side login() after invoking this method.
Yes, the session bean can do a login and use the ClientLoginModule to set the caller identity for subsequent calls. If your trying to invoke secured methods on the bean doing the login, you will have to obtain the remote/local interface from the session context and invoke the methods through that or else you are bypassing the security checks.
There is an example of a servlet calling into the ejb layer after a jaas login in the testsuite called org.jboss.test.web.servlets.ClientLoginServlet