I'm noty sure why you are not able to define a default soap layer module, but please be aware that there is a bug in the AuthConfigFactory, that is exposed when you set providers as the default (and then restart the appserver)
https://glassfish.dev.java.net/issues/show_bug.cgi?id=4959
note that glassfish already provides SAM's and CAM's for authenticating web service invocations. There were primarily defined to support the ws-security standard; which includes support for username password authentication. It may be that you can use those providers. If not I can help you develop your own modules.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=281474