I have been looking at this same question. You may have already found:
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3827512#3827512 - but I added a comment posing a question about capability that appears to be added in WebLogic.
Did you resolve the problem you were having? I would be very interested in hearing what you did. I am coming to the conclusion that the capabilities offered by the two app servers are different, with the edge apparently going to WL here, but I will be the first to admit that I can get easily confused in this complexity.
The 4.0.2RC1 release has added support for assocating a principal with additional roles, but its up to the login module to perform the mapping from the security domain to the application domain. The static mapping supported at the jboss-web.xml level is only for run-as identity.
<jboss-web> <security-role> <role-name>ExtraRole1</role-name> <principal-name>UnsecureRunAsServletWithPrincipalNameAndRolesPrincipal</principal-name> </security-role> <security-role> <role-name>ExtraRole2</role-name> <principal-name>UnsecureRunAsServletWithPrincipalNameAndRolesPrincipal</principal-name> </security-role> <servlet> ... <servlet-name>UnsecureRunAsServletWithPrincipalName</servlet-name> <run-as-principal>UnsecureRunAsServletWithPrincipalNamePrincipal</run-as-principal> </servlet> <servlet> <servlet-name>UnsecureRunAsServletWithPrincipalNameAndRoles</servlet-name> <run-as-principal>UnsecureRunAsServletWithPrincipalNameAndRolesPrincipal</run-as-principal> </servlet> </jboss-web>