the effect of calling isUserInRole with an undeclared role-reference is underspecified; but yes, the problem you are seeing is that the container can only be expected to perform isUserInRole evaluations for role names/references that were defined at deployment. This is especially true on any Java EE compatible Servlet container, in which the JACC contract defines the translation of the declared role-ref set into an enforceable policy. Undeclared role-ref values will not factor in that policy, and the outcome of testing for membership with them, would not be expected to produce meaningful results.
Servlet 3.0 (for which Glassfish v3 is the RI) provides some new programmatic api's that you can use to declare roles at runtime (during ServletContext initialization, and prior to the point where your app starts servicing requests). Please check out ServletContext#declareRoles and ServletRgistration.Dynamic#setServletSecurity.
fwiw, note that roles used in web.xml must be declared as a security-role, while roles may be implicitly defined as a result of their use in @ServletSecurity or @RunAs, within an argument to the setServletSecurity or setRunAs apis, or explicitly as a result of @DeclareRoles or via the declareRoles api.
[Message sent by forum member 'monzillo' ]
http://forums.java.net/jive/thread.jspa?messageID=373934