Hi,
I don't understand what's the need to declare element of , or even itself in DD, because the Container can still create a mapping between role in tomcat-user.xml file and role declares in DD in auth-constraint element of a security-constraint for authenticating any client. I'm using Tomcat 5.5.
Thanks in advance
It gives an additional level of flexibility - what if you needed to deploy your app to another server that already had security roles defined which didn't have the same name as the one's you originally chose? Rather than creating new security roles on the server, or updating the role names in your app (both in the deployment descriptor and wherever you reference them in the app) - this option gives you one place to change it - "the role I call x in my app maps to role y defined on this server".