J2EE has it's own model for authorization. Authorization is done against an abstract notion of a role. Authorization policy is written in the deployment descriptor with the role name, resources and appropriate actions. Roles must be mapped to principals at deployment time.
We want to map roles to domain or realm principals (produced by wrapping Security Realms). This is not supported in Geronimo M5 or earlier milestones. In those early releases you can only map j2EE roles to principals that are not explicitly linked to the Login Domain and Security Realm.
Since domain and realm principals are wrapping
Principals, @class attribute that you must specify for either of them must be the name of the class that implements
See the Security Definition Schema section for the role mapping syntax.