Currently the principal to role mapper is declared as a class name in an attribute of the global authz element. For the provided mappers introduce a better implementation which avoids class names unless a custom mapper is needed