Basically those roles can not cover issues such "user X owns item Y". The admin/guest/internetuser/whatever roles are for things which apply indiscriminately to a whole group of users and to a whole part of a program. E.g., you can say stuff like "only a project leader can see this page at all", but you can not say stuff like "on this page a project leader may only see the people working on his project, and on that other page he may only see the other resources allocated to his own project".
So, well, yes, you're back to doing the checks in your own code. You will have to store the customer id with those orders, and you will have to check that the id matches the current logged in user everywhere that you access data from an order. It's not even that hard to do.
But it does bring me to a pet peeve of mine, namely that the current state of JAAS and EJB declarative security is just snake oil supposed to look great to managers, not to solve a problem. And I just hate that trend in the computer industry.
I can't think of any project, real of hypothetical, where the declarative security would be enough. Even if you think something as simple as "hey, let's make a simple guestbook/forum for my own homepage", you'll already run into stuff where just having "admin" and "user" groups isn't enough. E.g., what if I want to allow a user to delete their own post, within a certain time limit and/or if there are no answers to it yet? What if I want to allow users to receive private messages, but _only_ ever be able to see the private messages addressed to themselves? Yep, it's back to programmatic security already.
Briefly: most real life case are _not_ squeezable into an "only admins may do this" mold, but are more like "only an admin OR a user which meets this and that condition may do this." And there it's not even like declarative security even saves you one "||" in the if, it's more like: you can't even use it at all, and have to write the whole if anyway.
So why not just stick with programmatic security all the way, from the start? The very few cases where declarative security might save you 2-3 lines of code, are just not worth learning a new API. And definitely not worth having the security stuff split between your normal Java files _and_ the descriptors. It's actually more maintenance overhead, not less.
But on the other hand, the extra buzzword will look great on your resume, and will impress the heck out of a pointy haired boss if you're trying to sell your program to one. Snake oil technology at its finest, really.