Some more info. I managed to access the JAAS Subject using SecurityContext.getCurrent().getSubject() and printing it clearly shows the correct groups:
filter got subject 'Subject:
Principal: user1
Principal: group1
Principal: group2
Principal: group3
Private Credential: Realm=MyRealm Username=user1 Password=######## TargetName = [B_at_139a367
'|#]
[Message sent by forum member 'erikengerd' (erikengerd)]
http://forums.java.net/jive/thread.jspa?messageID=245861