You will need the security-role-ref only in one case: if the developer is using his own names that don't map to roles defined in tomcat-users.xml. in this case you want to map the user defined roles used in the code to roles defined in realm.
SCBCD - SCWCD - SCJD - SCJP - OCA
I’ve looked at a lot of different solutions, and in my humble opinion Aspose is the way to go. Here’s the link: http://aspose.com