This is not exactly the answer to your question, but it is certainly related, and it may help you to get started with the certificate realm :
http://www.nogid.org/Belgian-identity-card-Glassfish-beid-eid . If I remember well, in GF 2.1, you can only make one role correspond to the users logged in via a specific certificate. (And as you point out, you will probably have to write a loginmodule to have multiple roles). I use some code in my application to lookup the remoteUser (which is the CN in the user certificate) in a database, and then determine his/her permissions.
Hope this helps somewhat ?
[Message sent by forum member 'grombouts' ]
http://forums.java.net/jive/thread.jspa?messageID=373569