Hi,
<security-role> define the entries for the roles available to the application. The roles are provided by container, through its authentication mechanism.
Tomcat, by default, uses tomcat-users.xml to define the users and roles.
Thanks
Narendra Dhande
SCJP 1.4,SCWCD 1.4, SCBCD 5.0, SCDJWS 5.0, SCEA 5.0