I'm using the maven-embedded-glassfish-plugin to do some integration testing.
I have an .ear file with an ejb.jar file in it. The ejb.jar file contains a single, remote, role-protected EJB in it. This .ear file deploys fine to embedded Glassfish v3.1.1.
Prior to deployment, I use the plugin to set up a user named "scott" with a password "tiger" and assign him to the group "superuser". I get the password in there by using the (recently added, as of Glassfish embedded 3.1.1) --passwordfile option (see http://java.net/jira/browse/GLASSFISH-16277). It is my understanding from looking at the domain.xml that ships as part of embedded-all that default Principal-to-role mapping is turned on. These setup commands, using the AdminMojo, complete normally with an odd-to-decipher but presumably OK SUCCESS message.
In my .ear file Maven project, I have a single unit test that attempts to look up this bean from an embedded Glassfish instance that has been started by the maven-embedded-glassfish-plugin. This lookup fails. The lookup string is correct, as the lookup succeeds if I unprotect the bean by removing the @RolesAllowed annotation.
To perform the lookup, I first do a ProgrammaticLogin. I take care to make sure that the login configuration file is passed as a system property, containing the proper configuration for the default realm. The ProgrammaticLogin of course doesn't actually log anyone in at this point; it just stashes the credentials. This completes normally.
But the lookup fails with a CORBA NO_PERMISSION error.
I'm going to attach a Maven project that demonstrates the issue.