We just need to support the introduction of static roles. Where authentication is done to obtain a Subject, a post authentication interceptor can be added to optionally associated deployment level roles + mappings. This interceptor would have to be in between the authentication and authorization interceptors. In the web container, the construction of the JBossGenericPrincipal roles needs to consult the deployment metadata. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018001#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...