I'm developing a Java EE 6 applications using Glassfish 3.1.1 as my app server. I'm using declarative and programmatic security. I've defined several roles at my deployment descriptor, and defined all security constraints.
I was using JDBCReal, and now I've changed it to an LDAPRealm. So I would like to manage the user-group mapping without relying on the LDAP groups. In other words, I want to authenticate to the LDAP but authorize using a RDBM, asking if the current user belongs to X group.
I thought there would be a way to "override" the isUserInRole method. While searching I've heard of things like JACC and I found out that there are ways to plug a custom JACC provider or something like that to the app server, but I couldn't find any custom JACC implementation and I have no idea how to do that (or event if it would work..)
According to Working with Realms, Users, Groups, and Roles, a realm is a "complete database of users and groups that identify valid users of a web application". The realm defines the set of credential and the roles.
Glassfish has then also login modules which define how the user is authenticated, e.g. with username/password, certificates, etc. In practice, only username/passwrod is supported.
So, according to my understanding, you will need to implement a hybrid LDAP/JDBC realm. Here is sample code for a custom login module and realm. You can see this a similar answer of mine.