This is related to Tomcat 6 with JAASRealm and a custom JAAS module for security.
Other Application Servers seem to support the mapping of application role names (in web.xml) to actual groups of the underlying security realm by using with server specific deployment descriptors - as mentioned in the Java EE 5 Tutorial.
Does Tomcat have a similar mechanism?
Edit: This thread seems to talk of the same requirement, but unfortunately doesn't have a definitive answer.
A request for enhancement to JBoss Web (with tomcat under the hood) has been made to address this same issue.