The 9.3.3 statement that different threads may be used for each handler in a handler chain is somewhat confusing. The solution I described above is based on the SoapHandler getting access to the user credentials through the FacesContext->ServletRequest which would be uniqe to the invocation of the service method. However if its a random thread that calls the SoapHandler then it may have no access to the user credentials through the ServletRequest.
I have tested the solution on Weblogic where it seems to work but maybe Im just lucky it dosent use a pool of random threads?
Unless my interpretation of 9.3.3 is wrong how would a SoapHandler that is not supposed to carry any state, only be set once to serve many invocations and run in a random thread ever get access to the credentials thats needed for that particular invocation?