My answer was B. But the answer given was A. How it is possible?. As far as I know if we use the name given in <role-link> directly in the isUserInRole() method then it should directly map to the role. Am I right?
<security-role-ref> element, combined with <security> element can link a security role name used in a servlet as the argument to HttpServletRequest.isUserInRole() method to a role name known by the web container. All role names definded by <security-role> elements must be mapped to users and/or groups known by the web container. How this is done is container dependent. The <security-role-element> allows you to use servlet that uses a role name in the isUserRole() method that is not defined by a <security-role> elemnt. A typical scenario where this can be useful is whem you combine servlets from different sources into one application, and the servlets use different role names for tyhe same logical role.