Daniel,
Roberto forwarded your msg to me, and I think Kumar had previously asked me questions about the problem discussed in this thread. On this thread, there has been discussion of the default (aka canonical) p2r mapping, and integration of a custom jacc provider, or of a custom principal-2-role mapper. I'll discuss the relative merits and capabilities of those suggestions if you think that appropriate.
You should be able to develop a custom jacc policy provider that you could subsequently deploy in any EE compatible container (which unfortunately does not include Tomcat), and that will be able to rely on principal-2-role mapping functionality inherent in your provider. The in-memory jacc provider was included in Glassfish to help people accomplish this, and we can try to talk that through at least to understand why such an approach would not satisfy your needs. I should also point out that the jacc spi, provides context handlers which can be used by the policy provider to get more context about the request being processed. This additional context could be applied to select sufficient roles, or to determine a corresponding principal 2 role mapping.
EE 6 will also require support for the jsr 196 spi (especially within the web container), which will provide an additional opportunity to integrate common security functionality in any EE (full platform) compatible web container.
I'll try to continue the discussion in response to the msg you sent to the spec feedback alias.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=339382