It seems to me this should be main points to solve your problem:
- Point 1-3 you achieve with SPNEGOLoginModule following mentioned documentation.
- To get roles from AD you need to use LdapLoginModuleMappingProvider https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-6.4/login-module-reference/#ldaprolesmappingprovider
- To perform custom post actions you probably have to hook into request processing, probably servlet filter. You should be able to get to user principal with request.getUserPrincipal() for instance.