if the web and ejb tiers are executing in the same vm, then the security context containing the group principals on which the role mappings are based will be seen by the ejb tier. It gets a little more complicated if you require distribution of the web and ejb tiers, as in that case, the group principals are not sent across the wire. the csiv2 protocol defines how to do this, but at a higher conformance level than is required for EE compatibility. so..., for this to work across a netwok hop, you need to be able to reassign the group principals based on the asserted caller id; which is something that requires a change to the way we process identity assertions within the csiv2 layer of glassfish.
Although not obvious from the defect report, I think the intent is to handle this problem as part of the resolution of the following issue/
https://glassfish.dev.java.net/issues/show_bug.cgi?id=3873
please feel free to share my answers on the opensso forum.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=279778