I never saw this formally documented, but my experience has been that the list of roles for an authenticated user is constructed at login time and remains immutable throughout the session.
This is an interesting problem. In an SSO environment, in theory, you could invalidate the session and the next time a secured request was made, the SSO realm would automatically pick up the authentication from the SSO realm without any need for userid/password (otherwise it's not truly SSO!).
The unfortunate side of that, is that since in J2EE, the only way to logoff is to invalidate the session, you also have to discard all your non-security-related session objects.
Which might in some ways be the right thing to do, since the previous session data was done using different security assumptions, so there's potential for scrambling contexts. But it's a pity there's no way at present to fine-tune such stuff.