There has been a discussion going on with reference to a Security Context in JBossSX. Refer to the forum thread

As it stands, the Security Context is populated with the roles for the authenticated user, but the access checks that are happening (mainly for the jacc layer) needs to move away from the reliance on the role-group placed as a principal in the authenticated subject, but to use the roles in the Security Context.