Let me describe a real live example for you.
I Have 3 applications running on my JBoss Application Server.
Each application has a common user role called "user" and an application administrator role called "admin".
In the web.xml or ejb-jar.xml these roles are defined the standard way.
Everything is OK right?
On the technical front you have to differentiate between app1-user and app2-user etc because a user may have right to use app1 but not app2 and app3. A user can be admin for app1 and user for app3.
If you use the RoleMappingLoginModules mapping occurs at the security domain level not at the application level.
This means you have to create a security domain for each app to make this work. This is an incredible waste of resources that were supposed to be shared.
The RoleMappingLoginModules does do role mapping but at the wrong level in my opinion.