The message seems very specific and to the point: any role you use in an auth-constraint tag needs to be defined in a security-role tag. You may want to read up on the
security-constraint>,
auth-constraint and
security-role elements of the web.xml file; they're explained in the
servlet specification.