What is the best way to do authentication and authorization in web services?

I am developing a set of web services, requiring role based access control.
Using metro – SOAP, simple java without EJBs.

• I want to Authenticate the user just one time, using username and
  password, to be matched against a data base. In the subsequent calls.
• I would like to use some kind of session management. Could be some
  session id, retrieved to the client at login, to be presented in all
  calls.

So Far:

• Read authentication using a database – but I want application level validation;
  

• Read application authentication with jax-ws – but i don’t want to do the authentication mechanism every time;

• I think I can use a SOAP Handler, to intercept all the messages, and do the authorization control in the hander, using some session identifier token, that comes with the message, that can be matched against an identifier saved in the data base, in the login web method.

EDIT:

I still have some questions:

• How to know the name of the web method being called?
• What kind of token should I use?
• How to pass this token between calls?

EDIT 2

Because of @ag112 answer:

I’m using Glassfish.

I use WS-Policy and WS-Security to encrypt and sign the messages. Using Mutual Certificate Authentication. I would like to complement this message level security between applications, with the authentication and authorization for the users also in message level.

I am just developing the services, and I don’t know almost nothing the clients, just that they could be created in different languages.

At this point I think the most important thing is to do what ever I need to do to authenticate and authentication the users, I the most easy way to be implemented for the client applications.