In JASPIC 1.1 a new feature was specified that allows a SAM to ask the runtime to register a session. See http://java.net/jira/browse/JASPIC_SPEC-3 and http://jcp.org/aboutJava/communityprocess/maintenance/jsr196/module-asking-for-container-auth-session.pdf
Changes for this were made to GlassFish 4, but in practice they don't seem to work.
From a SAM's validateRequest method I called the following code:
An authenticated identity was set via code such as the following:
After this a protected resource could indeed be invoked, but after requesting the same protected resource again, the SAM was also invoked again without any trace from the previously established authenticated identity. If I'm not mistaken the idea is that the runtime remembers this authenticated identity (name + groups/roles) and will not invoke the SAM again until the user explicitly log outs, or removes the HTTP session.
p.s. I also tested on GlassFish 126.96.36.199 using the proprietary key com.sun.web.RealmAdapter.register and checked by stepping into the GlassFish source code that the "register" branch is indeed taken in RealmAdapter:
There too the authenticated identity was not remembered.