without the security-role declaration the container would normally not be able to (or is not allowed to be able to?) map the role names in the auth-constraint to the ones that are set up in the container-specific configuration.
I recommend to just set up such a system, for example with the Tomcat MemoryRealm.