I may not totally be answering your question, but it may be related to something I ran into and that was assuming the generate WAR file (and I'm working with EJB3 endpoints) would contain the proper security constraints. I couldn't get the annotations to work for that, so I created the jboss-web.xml and web.xml and packaged my own WAR and it worked fine.
Look at http://www.jboss.com/index.html?module=bb&op=viewtopic&t=91699 for my post that touches on this.
I have a JAAS module doing the login and creates a Principal which my EJB3 endpoint can access. Also loads the roles so my EJB3's "@RolesAllowed" annotation is honored.
Thanks for sharing your thoughts. But i am using webservices based upon servlets, because we use a WSDL first approach (specify the contract first with xml schema support). The generated code with WSCompile / WSTools generates servlet based endpoints. SO i am not using annotiations nor ejbs. But do you also use username profile tokens in the soap header?
If your approach works i would be very interested to know