something like that :) I would explain it as follows:
in the policy evaluation, the type of the principal, not just its name is significant
the declaratve syntax Glassfish uses for p2r mapping has historically assumed the principal type corresponding to the principal-name. To distinguish "user" principals from "group" principals, the syntax "featured" the principal-name and "group-name sub-elements.
When the Glassfish CBH processes a CallerPrincipalCallback it adds a principal of the same type as implied/assumed for a principal-name in the Glassfish p2R mapping syntax. Similarly, the processing of a GroupPrincipalCallback results in the addition of one or more principals of the same type as that associated with a group-name in the mapping. The purpose of the Callbacks, is exactly so that SAM's don't have to know the specific types used by an appserver to represent user and shared/group principals.
fwiw, the principal-name element supports a Type/classname attribute, that can be used to change the type of the principal associated with the name. This attribute can be used to establis the type, by Class name , of the associated principal. If you know the name of the Class added by the Glassfish CallbackHandler when it processes a GroupPrincipalCallback, you could specify the classname for the attribute, and thereby represent the same mapping (with principal-name) that you you achieved via group-name.
Ron
ps: you can find some but not allof what I describe above is documented in the developer guide. see "securiing Applications" in:
http://docs.sun.com/app/docs/doc/819-3672/beabj?a=view
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=258605