When using MP JWT, I have to configure the login module like this (pasting the full security config for reference):
I absolutely must add the rolesProperties option, even if I don't actually need it. Without the option, the JWTLoginModule doesn't work, even though there's no reasonable error message. (There's a LoginException thrown from RoleMappingLoginModule.getRoleSets, but it gets swallowed somewhere!) As a workaround, I can specify a name of a non-existing file – the login module is fine with that.
The ultimate cause is that RoleMappingLoginModule, which is a parent class of JWTLoginModule, insists on providing the rolesProperties without it actually being necessary. (If I look into the source, it seems the check was added later; the code was clearly originally written with rolesProperties being optional.)
What I think we could do is override the getRoleSets method in JWTLoginModule and before delegating to the parent, check if the option is set, and if it isn't, set it to some random value that is guaranteed not to exist. That's obviously a hack which depends on an implementation detail of the parent class. If we don't do that, we should at least document that the option is mandatory.