I see your point - and you are right!
However, I do not see wildcard as a good solution, people will try to do weird things like mapping all the groups including the word "admin" to the admin role (I have seen this done with other technologies), with the risk of including groups created later like "madminers", without even realizing it (imagine a bunch of crazy people covered in coal dust with full access to your enterprise application!)
[Message sent by forum member 'thedayofcondor' (thedayofcondor)]
http://forums.java.net/jive/thread.jspa?messageID=242368