(as I think you have concluded) for the remote invocation, the web container includes an identity assertion in the rmi/iiop msg it sends to the ejb container. the identity assertion contains only the caller principal, it does not contain the caller's group principals. when the identity assertion arrives at the remote container, the caller's groups principals should be added to the security-context..but that is not happening. for a local web to ejb invocation, the security context is shared such that the groups are preserved across the network.
If you are able to include a caller based p2r mapping on the remote system, that would be one way to work-around the problem. You can see a related posting here
http://forums.java.net/jive/thread.jspa?messageID=285659
This is a known problem, and should be resolved approximately as described in the above issue. that is the realm of the receiving system should be consulted (during processing of the identity assertion) to add the appropriate groups to the security context.
There is an open Glassfish issue to fix this, see
https://glassfish.dev.java.net/issues/show_bug.cgi?id=3873
you may want to refer to it in any other posts on this problem.
I'll see if we can expedite its resolution.
thanks,
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=299635