No need for any specific configuration. From your web tier (Servlets), use InitialContext to look up your beans. The security propagation happens automatically.
since the ejb tier is on a different box than the web tier, I thought that conceptually, I would need to configure the ejb tier to trust the security info coming in from a specific web tier box (otherwise, it may be possible to fake the principal and get in without authentication.)
anyways, I tested this configuration using form base authentication at the web tier level and then invoking an ejb on a different box. I invoked a method that doesn't require any authorization and that works fine (initial context plumbing working). When I tried a method requiring authorization, got an exception saying that there is insufficient permission and that the principal=null. Am I missing something?