JACC provider use the Principal-to-role mapping facilities of the server it's deployed on?

JACC provider use the Principal-to-role mapping facilities of the server
it's deployed on?

I am writing a JACC provider.
Along the way, this means implementing a PolicyConfiguration.
The PolicyConfiguration is responsible for accepting configuration
information from the application server, such as which permissions accrue
to which roles. This is so that a Policy later on can make authorization
decisions when handed information about the current user and what he's
trying to do.
However, it is not part of the PolicyConfiguration's (atrocious) contract
to maintain a mapping between roles and their permissions, and Principals
that are assigned to those roles.
Typically--always, really--an application server houses this mapping. For
example, on Glassfish, you affect this mapping by supplying things like
sun-web.xml and sun-ejb-jar.xml and so on with your Java EE modules.
(These vendor-specific files are responsible for saying, e.g., superusers
is a group that is to be assigned the application role of admins.)
I would like to reuse the functionality these files supply, and I would
like to do so for as wide an array of application servers as possible.
Here is--totally arbitrarily--IBM's take on the matter, which appears to
confirm my suspicion that what I want to do is essentially impossible.
(More ammunition for my case that this particular Java EE contract is not
worth the paper it's printed on.)
My question: how do I get at this principal-to-role-mapping information
in--for starters--Glassfish and JBoss from within a PolicyConfiguration?
If there's a standard way to do it that I'm unaware of, I'm all ears.