A 302 return code is a temporary redirect. This is used when using form authentication to redirect you to the login form.
I understand that's a redirect redirect because it has been coded in this way in the web.xml file :
Dynamicly, i can see the process authentication that succeeds :
1 - /action/authenticationProcess identifies properly the client
i.e, my loginContext works well : i get my subject and my principals
2 - /action/authenticationProcess tries a forward to action/menuView
3 - this forward is rejected (our 302 redirect) because this URL is a protected resource (my <security-constraint>)
Maybe the relevant question is how can i map the <role-name> with one of the principals i get from my loginContext ?
A redirect only occurs for authentication failures, not authorization. You map the roles to a user using the roles.properties file as discussed in the JAAS Howto in this forum.