Security mappings in jboss-web.xml from an app role name to a real group name seems not to work anymore in Wildfly 8.1. It worked with JBoss 7.1.

The authentication with "org.jboss.security.auth.spi.LdapExtLoginModule" works:

<security-domain name="ldap_security_domain">

     <authentication>

          <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">

               <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

               <module-option name="java.naming.provider.url" value="ldap://alzhdc01:389"/>

               <module-option name="java.naming.referral" value="follow"/>

                  ... etc.

          </login-module>

        </authentication>

</security-domain>

My jboss-web.xml looks like:

<jboss-web>

    <security-domain>java:/jaas/ldap_security_domain</security-domain>

    <security-role>

        <description>example of mapping an app role name to real group name. This way we can  take advantage of already existing groups</description>

        <role-name>SUPERUSER_ROLE</role-name><!-- the role name appearing in the standard web.xml dd  -->

        <principal-name>Superuser</principal-name><!-- the existing role in your credential repo -->

    </security-role>

     ... etc.

</jboss-web>

and in web.xml I have following code:

  <login-config>

    <auth-method>FORM</auth-method>

    <realm-name>ldap_security_domain</realm-name>

    <form-login-config>

      <form-login-page>/faces/pages/login.xhtml</form-login-page>

      <form-error-page>/faces/pages/login-error.xhtml</form-error-page>

    </form-login-config>

  </login-config>

Now if I call for a authenticated user following code he has not the corresponding role.

ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();

externalContext.isUserInRole(JSFConstants.ROLE_SUPERUSER);

If I start the WildFly server I get not errors. Do you have any idea? Thank you in advance.