the <security-role>
tag in the DD is a way to declare the container upfront about the security roles which would be used in the application.
If you make a call in a
servlet as follows:
isUserInRole("admin")
then the container checks the <security-role> to see if "admin" is defined or not. If not then it checks the <security-role-ref> in the servlet tag to see if a custom role has been defined.