Karel,
You' have found a bug, and a fix is being tested.
The PolicyContext handler is intended for use by authorization Policy modules such that such a module can have access to additional context with which to make its access decision. When a SecurityManager is enabled, use of the handler requires the setPolicy permission. The additional context is available during the invocation; so that it is available for use by policy, should the component make a call (like isCallerInRole) that performs a policy check.
Glassfish is the Reference Implementation for JSR 196, which may be of interest to you wrt your question:
"might I get content of SOAP message in somewhat different way?"
JSR 196 is used in Glassfish to provide support for pluggable network authentication modules, in either the HttpServlet or SOAP message processing layers.
You can see the proposed final draft of the 196 spec at:
http://jcp.org/en/jsr/detail?id=196
and if you will be at JavaOne, there will be a 196 BOF late thrursday night.
Thursday, 9:55 PM - 10:45 PM BOF-4663
Plugging the Authentication Gap in Java Technology-Based Containers
The 196 SPI allows you to integrate authentication modules in the Glassfish container, where they will be run on behalf of applications. This is a little different that your test; since the soap message interpretation is not packaged in the application, so it might not be exactly what you are looking for.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=214889