posted 22 years ago
2 is correct. According to the DTD of web-app (below), you can have multiple <security-role>s, but each can have only one <role-name>.
<!ELEMENT web-app (icon?, display-name?, description?, distributable?, context-param*, filter*, filter-mapping*, listener*, servlet*, servlet-mapping*, session-config?, mimemapping*, welcome-file-list?, error-page*, taglib*, resourceenv-ref*, resource-ref*, security-constraint*, login-config?, security-role*, env-entry*, ejb-ref*, ejb-local-ref*)>
. . .
<!ELEMENT security-role (description?, role-name)>
. . .