I'm also trying to find a way to programmatically retrieve the current User's roles, and think Eddie Chan is also trying to do so.
My case is (I think) similar to yours - I have custom "security policies" associated with individual application objects and need to determine at runtime what access the User has to the object based upon the correlation of the User's set of roles and the roles and access privileges in the "security policy".
So far the only solution I've been able to come up with is to use EJBContext's geCallerPrincipal() and isCallerInRole() methods to perform some coarse iterative comparisons; this isn't really very satisfying and I'd very much like to find a solution that enables me to obtain the full set of roles for the User in one operation so I can use them as I need to.
And just to be greedy, I'd like to be able to get access to the javax.security.auth.Subject that is presumably known to JBoss.
I'm investigating the possibility of hooking into the seecurity interceptor(s), but as of now don't know if or how this might work, or even if I'm barking up the wrong tree.

There's a post by basil @http://jboss.org/forums/thread.jsp?forum=49&thread=12162&message=3513126#35131 26
that describes how to get the current Subject from JBoss.
I've used this code in a SLSB and it's worked OK so far.

> And just to be greedy, I'd like to be able to get access to
> the javax.security.auth.Subject that is presumably known to > JBoss.
> I'm investigating the possibility of hooking into the
> security interceptor(s), but as of now don't know if or
> how this might work, or even if I'm barking up the wrong
> tree.

Have a look at the following Javaworld article (and example code) which explains how to use JBoss security proxies (which are linked into the security interceptor) and also how to access the current subject.

http://www.javaworld.com/javaworld/jw-02-2002/jw-0215-ejbsecurity_p.html