Currently we only use group/role assignment within the ApplicationRealm where there is an assumption of a 1:1 mapping between a group and a role.

Instead by default the <authorization /> section of a <security-realm /> should be used to load group membership information.

Within access control the group to role mapping will happen at a later point as it needs to take into account the address or an operation.

For situations where a 1:1 mapping can be assumed we will add a configuration option on the <authorization /> element - 'map-groups-to-roles' default will be false.

For backwards compatibility the ApplicationRealm we ship will have 'map-groups-to-roles' set to true. Where an older schema is read we will assume this attribute was set to true for consistency.