We have three servers and client side. Dev, Pre and PROD. Dev and PRE are similar but PROD is production server having security layer. To enforce security we are using Filters to rout all the requests to a specific Servlet Filter, then to actual application. So, We need web.xml with entries of Filter for PROD server but we don't need Filter entries in web.xml for PRE and UAT. Is there any way to keep the web.xml on server like shared library feature in WAS6.0.2.x server and refer it from application EAR?
I think you have your solution backwards. Your test systems should match your production system as closely as possible; having different code in test versus production means that some production code might not be tested. So in particular your test systems should also have the security layer in place.
Sorry to hear about your client. You probably made a mistake when you allowed your client to dictate that sort of thing to you. So I would suggest setting up a trivial security layer in the test version, one which essentially works like the production version but allows everybody to do everything. Don't forget to mention to your client that the security layer will be untested and that you will accept no responsibility for any errors in that layer.