you can get service level control of the security domain by adding the JBossAuthenticationHandler to the services request chain in the web-service.xml file like so
<!-- change this to the policy you want -->
I think you have to comment out the JBossAuthenticationHandler in the axis-config.xml file though.
There are xDoclet tags for this and the JBossAuthorizationHandler in the cvs version of jboss. I haven't managed yet to submit a patch to the xDoclet guys, so you would have to add the classes in and recompile xdoclet yourself for now.
* scope="Session" <- or "Application" or "Request"
* @--jboss-net.authorization <-- hidden from xDoclet in this example