The first thing to release is that, once you apply security, ALL EJB method calls must be accompanied by principal and credentials. Your client (assuming that it is a heavy client) has to store principal and credentials in the client context and supply these with every call.
You could write an unsecured module that tests and validates credentials independently but it doesn't gain you very much.
It's simpler to have an empty method on a session bean which is called to test principal and credentials from the login screen as soon as the user has entered them.
I can dig out some sample code if this is of interest.