Weblogic 12 - Changing Scoped Role to Group mapping in the deployed application

Our current application uses JSF/JPA technology and is deployed on Weblogic 12.1.2 and does the following:

1. Authenticates a user through an IDP
2. The IDP after authenticating the user sends back the Groups the user belong to
3. Using Web.xml and WebLogic.xml we map the Groups to Roles

Our Application Scoped roles are very granular and it helps us do the following:

1. Hide UI pages or components on UI
2. use RolesAllowed annotation on methods

Since Group to Role mapping is in Weblogic.xml, our application users can't change the groups to roles mapping and this is the problem that I have to solve.

My goal is to do the following:

1. Authenticate a user through our IDP
2. The IDP will send us the Groups user belongs to
3. Define the roles in web.xml
4. Define tables that our application will read to find Group to Role mapping
5. Use Weblogic API to do Group to Role Mapping
6. Create a UI to allow our users to change the Group to Role mapping

The problem that i am running into is that i can't find how to do Group to Role Mapping dynamically using WebLogic since i can't get access to WebLogic API that will allow me to change Group to Role mapping in my deployed application. Has anyone done this before?

I have looked at creating a custom Role mapper but i am not sure how to get the handle to this custom Role Mapper in our deployed application.

As of Java EE 7, this is not possible based on this thread dynamic roles on a Java EE server

If someone does want this feature added to Java EE 8 then please vote for the following two open feature requests in Java EE 8

https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-8 https://java.net/jira/browse/JASPIC_SPEC-22