Dear Java Developers,

I am currently researching how Java EE6 Security can secure our applications using GlassFish. I know how to make realms, roles and users.
I managed to get a nice basic login with a servlet. 'Normal'users were not allowed to see an admin page, while an admin user was,
so that test worked out nicely.

Now however, I want to step a little bit deeper into it.

The idea is that I host a webservice using an EJB container.
This webservice does not know anything about it's callers so I figured the caller has to send credentials (username and password) along with the call.
The webservice could then authenticate the user and could then, based on this, allow or deny access to methods.

The thing is, that I have no clue on how to check 2 strings (username and password) and set up a role for the callers within the webservice.

I know this API should help me out:
EJBContext (Java 2 Platform Ent. Ed. v1.4)

But it doesn't give me a clear understanding on how to do this. All it says to me is that I can check certain properties when the user is already in a role,
but since it's a webservice, there is no role yet... I have to create it first, but how?

Also, I know that GlassFish supports sign on through LDAP, which is the end goal I am working towards. Perhaps any ideas on how to do that correctly?
What would be the best way to approach this all?

Thanks in advance,