Does that mean that a <security-role> <role-name> is required before you can use <auth-constraint> <role-name> ?
Joined: Jul 17, 2004
without the security-role declaration the container would normally not be able to (or is not allowed to be able to?) map the role names in the auth-constraint to the ones that are set up in the container-specific configuration.
I recommend to just set up such a system, for example with the Tomcat MemoryRealm.