When GeoFence/GeoServer is configured with authorization from HTTP header (preauthorized), the configured header fields are correctly extracted and synthesized to users and roles. When manually adding one of the roles set through the configured header and restricting access to eg. a layer via GeoFence rules, GeoFence does not use those.
I'm proposing a PR that extracts any roles from the Spring SecurityContext and adds them to the current user's roles determined by the GeoFence user resolver.
While this approach certainly works, I'd like some input from someone with the bigger picture in mind, I'm not that familiar with GeoServer/GeoFence security yet.
Proposed PR: https://github.com/geoserver/geofence/pull/101
Tested with GeoServer 2.12.2 and latest GeoFence (internal)