I wonder if <security-role-ref> element comes under a <servlet> element in web.xml file?
Yes it does. So that a reference to a role can be used in a servlet.
Is this the way to map hard coded role name to actual role name (vendor specific) for particular servlet OR something else.
This way, the person who makes does not have to know about the real role name. For example, it can call isUserInRole("BOSS") without taking care if the role exists or not. The link between this "fake" role, and the real role name is done in the descriptor, as described in the example.
It also allows to deploy the same application in different environment. In one environment, "BOSS" might be associated to "manager", but in another one, it might be associated to "evil" ;) The link can be changed in the descriptor, without changing the code.