dcam, I thinkl I have alredy responded in another thread, but just to make sure.. we are working to integrate the fix for this in glassfish V3, and have recommended that it also be fixed in V2.
Marcus, the problem is the result of an oversight in the processing of identity assertions that are sent to a remote EJB container. In this case, there is a standard that defines the format of the identity assertion such that it includes just the caller (principal identity). Thus the additional group principals (re)assigned to the caller must be assigned at the remote node, and since this is an identity assertion (without an authenticator), the interaction with the underlying realm does not occur and the group principals are thus not restored. The solution is to interact with the realm to obtain the groups (after determining that the identity assertion is to be accepted).
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=301391