I'm having the exact same problem, except with the LDAPLoginModule. The funny thing is, everything is fine for EJB security, just not for web! I think we're onto something...anyone know whats going on?
Ok, I solved my problem ;-)
The "solution" can be found in the GettingStartedGuide, but maybe it could be said more clearly... anyway, I just didn't put the word "Roles" into the third column ("RoleGroup") of the table "Roles"; so what I mean is that given the table "Roles" which contains "PrincipalID", "Role" and "RoleGroup", an entry could look like the following: "matthias", "admin", "Roles",
where "admin" is your security role to which you grant the right to access the secured object.