SOrry for not predicting this.
the admin app is a "predeloyed" system app. It's policy was created at the time the domain was created. when you replace the policy provider, it will not find the corresponding policy contexts in service, and thus the container will in effect, reconfigure the policy using your provider. As you have concluded, for your provider to produce identical semantics, it will need to use the same p2r mapping. In the case of the admin apps the mapping is fairly trivial.
one way to make it easier for your provider to get p2r mapping info in different containers, would be to define a p2r mapping interface, and register a polciycontexthandler that returns an uimplementation of the interface. Your provider could use the policycontext.getContext methodf to invoke the handler, and get the mapping.
The mapping object could use appserver specific interfaces to get access to the principal-2-role mapping info defined by the container for the app. when I can find some time, I plan to write a tech tip on how to do this.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=275831