1) Have a look at JAAS, it should handle all your security needs
2) Well, you need to write your client and include the jars from jboss/client. Then just do a jndi lookup to your entry point for your middle tier. Once you have a reference to this (a session bean for instance) away you go.
3) If you have an ear file build for you, just put it in /jboss/deploy and jboss will deploy it for you (assuming development team built it right ;) )