it looks like there is a mismatch between your principal-2-role mapping and the group principals that you are adding in your SAM via the GroupPrincipalCallback. The callback adds "shared" group principals, while the CallerPrincipalCallback is used to add non-group principals.
try changing your p2R mapping to include either of the following mappings
<security-role-mapping>
<role-name>DefaultRole</role-name>
<group-name>DefaultRole</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>DefaultRole</role-name>
<principal-name>testUser</principal-name>
</security-role-mapping>
Regarding your question about codesource- the glassfish policy subsystem is alligned with the Glassfish synchronization system; which synchronizes application files across server instances by finding the root directory of the application by application name. If the app is composed of multiple modules, there will be a subdirectory for each module. It may be that you app is composed of one module, in which case, I believe it is rooted in an application directory with the same name as the module/context path. thus the codesource of your module has the same name at 2 levels; following the resulting directory structure.
if you decide to use a group based mapping, with group principals mapped to same named roles, then you might want to consider activating the default p2R mapping of Glassfish as defined in:
http://blogs.sun.com/monzillo/entry/principal_2_role_mapping_and
you will alsop find other information related to using jsr 196, at the top level of my blog.
if you have any more questions, please send them along,
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=258587