A jboss login module (like the LdapExtLoginModule in jbosssx.jar shipped with jboss-5.0.1.GA) returns a
Group array with one SimpleGroup named “Roles” as its role set.
The parent class AbstractServerLoginModule combines this with the Principal
object representing the user. So the set of principals consists of two entries acting as the
user and his roles. These are added to the principals of the Subject instance, which
has been given to the login module when LoginModule#initialize(Subject, javax.security.auth.callback.CallbackHandler, java.util.Map, java.util.Map)
is called.