how to bring ejb security together with normal user account

Primary i dont understand the ejb security model.
I know i can configurate every ejb methode with security restrictions and i can create user roles and users. I think this work without any problems if i have only a handfull of users. But how do i use the built in security when 10000 web user can create her own account ?
I can only create a ejb user account per hand and not in code. Is this right ?!
Ok i think it would be nice if i have something like a single ejb account called "webuser"
and my own user system. And every user which have loged in with my system can use everything which my ejb "webuser" can do.
Can i do this ? and if so how ?

It looked found the answer by myself ...

http://java.sun.com/blueprints/guidelines/designing_enterprise_applications_2e/security/security3.html
9.2.3.1 Self-Registration
Some Web-based applications must authenticate users whose identities cannot be known in advance of their first use of the application. In contrast to typical computer user authentication environments, where a user must wait for an administrator to set up the user's account, such applications require an automated means for users to register an authentication identity for themselves. To self-register, the user is required to provide his or her identity and may be required to provide a password to protect the account along with one or more additional forms of identification, agree to some contractual obligations, and/or provide credit card information for payment. Once the registration dialog is complete, the user may authenticate as necessary to access the protected resources of the site.
The self-registration mechanisms provided by J2EE platforms are platform- specific. Applications that depend on these mechanisms should do so in a fashion that allows them to evolve, employing standard facilities and APIs as they are added to the platform. In the absence of portable self-registration mechanisms, application developers should resist the temptation to move user authentication and authorization into the application.