In 3.x GlassFish completely denies user admin access directly to instances. The rework of the admin protocol to use ReST combined with the move to separate authentication and authorization has broken this. GlassFish 4.0 needs to prevent admin users from performing update operations by connecting directly to instances.
In an e-mail exchange with the security team I suggested a couple of alternatives, and Jeff prefers (as I do) using the authorization service to control this, rather than (as in 3.x) totally shutting off direct admin access to instances. (There are some cases - such as metrics - where that's useful.)