I am using simple AuthenticatedWebApplication and AuthenticatedWebSession which through that you can assign roles. There are examples in wicket-examples.
I wrote my own classes to verify credentials using javax.naming against AD. Although I don't use roles much, you could assign a role based on AD Groups membership.
