if u look at the 2.3 servlet spec article SRV.13.4.2 which is the example of a security.
shouldn't the <security-role> comes way afterwards , if you look at the DTD , am i missing something here or is that example wrong ?
<!ELEMENT web-app (icon?, display-name?, description?,
distributable?, context-param*, filter*, filter-mapping*,
listener*, servlet*, servlet-mapping*, session-config?, mime-
mapping*, welcome-file-list?, error-page*, taglib*, resource-
env-ref*, resource-ref*, security-constraint*, login-config?,
security-role*, env-entry*, ejb-ref*, ejb-local-ref*)>