Since deploying my WAR alone (without the EAR) works fine and I see the correct role mappings (as declared in my sun-web.xml) when debugging through PolicyConfigurationImpl, I'm now sure that it is a GF bug.
I thus wanted to open an issue and saw that just a few days ago, someone else already opened this issue:
https://glassfish.dev.java.net/issues/show_bug.cgi?id=13772
Well, since it says there that it might be related to my EJB being deployed inside my EAR's lib/, I have tried to get it running by separating the two - EJB-class in one, interfaces in the other - and it works fine, now! Yabbadabbadoo!!! :-)
Separating these classes makes things definitely not easier - we'll have 50% more JARs this way - and they're already numerous :-( But even though it's not perfect, I'm nevertheless extremely glad that I finally got it running.
Btw. the redeclaration of roles that I complained about before is *not* necessary! I removed all the sun-*.xml files (except for the EJB-JAR's which is required for assigning the realm to the EJB) and all works fine (I have activate-default-principal-to-role-mapping="true"). The only place where roles occur now is in my annotations - just like it should be ;-)
I'll add a comment to issue 13772 and hope it is fixed soon.
Best regards, Marco :-)
[Message sent by forum member 'nlmarco']
http://forums.java.net/jive/thread.jspa?messageID=484476