I was even faced with the same trouble as your, and thought out some idea,
here are two solutions, but they just represent my point view.
1. Both web app and swing app base on web container, in other words, swing app access
EJB through web container, so you can put a Filter in web tier.
2.To swing app, client directly access EJB, and you configure the security of EJB in ejb-jar.xml.
best reguards