The points at which this integration can occur are described in the spec:
A typical message interaction between a client and server begins with a request from the client to the server. The server recieves the request and dispatches it to a service to perform the requested operation. When the service completes, it creates a response that is returned back to the client.The four points of interception consist of two on the client side (upon first request and just before receipt of response), and on the server side (at receipt of request, and after execution of the request.
The SPI defined by the specification is structured such that message processing runtimes can inject security processing at four points in the typical message interaction scenario. A message processing runtime uses the SPI at these points to delegate the corresponding message security processing to an authentication provider or module integrated into the runtime by way of the SPI.
Updated - originally this news item had the wrong JSR number, thanks to those who pointed that out.