We currently have a custom JAAS LoginModule (subclass of DatabaseServerLoginModule) and try to use RBAC in WF8. We have trouble getting the role mapping to work. Mapping a single user works fine but mapping groups does not seem to work. Adding or removing the realm does not seem to make a difference. We do set the rolesQueryInstance variable in the module and @RolesAllowed works fine with the login module.

Our configuration looks like this:

<management>

  <security-realms>

  <security-realm name="AcmeRealm">

  <authentication>

  <jaas name="acme"/>

  </authentication>

  </security-realm>

  </security-realms>

  <access-control provider="rbac">

  <role-mapping>

  <role name="SuperUser">

  <include>

  <group realm="AcmeRealm" name="ADMIN"/>

  </include>

  </role>

  </role-mapping>

  </access-control>

  </management>

  <subsystem xmlns="urn:jboss:domain:security:1.2">

  <security-domains>

  <security-domain name="acme" cache-type="default">

  <authentication>

  <login-module code="Remoting" flag="optional">

  <module-option name="password-stacking" value="useFirstPass"/>

  </login-module>

  <login-module code="com.acme.AcmeDatabaseServerLoginModule" flag="required" module="com.acme.security">

  <module-option name="unauthenticatedIdentity" value="guest"/>

  </login-module>

  </authentication>

  </security-domain>

  </security-domains>

  </subsystem>