I'm investigating securing an application deployed on JBoss using TAM with WebSEAL and am currently getting an authorization problem. It looks like the WebSEAL junction is correctly authenticating access to the web application, however the principal passed to the EJB container has no roles. Examining pdamin I can see my user exists, and is in a group.

TAM seems to rely on the JBoss ClientLoginModule and a custom valve to propagate the principal to the EJB container. Does anyone know if WebSEAL can propagate roles with a principal to an application server that is not WebSphere? Do I need to enable JACC to have JBoss query for roles itself? My understanding of JEE suggests I shouldn't have to do this, but nothing I change seems to influence the roles on the principal.