1) there are not two phases to authentication. All that you could possibly do is to install a custom place holder java.security.acl.Group that lazily acquired the roles used for authorization.
2) Same as 1, there are not two phases. The security context is created during authentication and there is the possibility to lazily acquire roles given a place holder created during phase1, but since you don't seem to even know the key used to acquire roles, you'll need a placeholder proxy that is updated by a custom interceptor.
3) Yes, you are going to have to associate the roles after the fact outside of the JAAS login phase. This would have to be a custom interaction between the Group you installed during the authentication phase. If you can do this then the existing declarative security mechanism just works. If you cannot then you need to augment authentication with a custom interceptor/filter that manages the authorization checks.