Information
The allRolesMode within JBOSS_HOME/server/@PROFILE@/deploy/jbossweb.sar/server.xml must be set to strict for production environments. This requires the authenticated user to be assigned to one of the web-app/security-role/role-name roles in order to be authorized.
Solution
Update allRolesAttribute for the <Realm> element with className="org.jboss.web.tomcat.security.JBossWebRealm" in JBOSS_HOME/server/@PROFILE@/deploy/jbossweb.sar/server.xml. Set the attribute value to "strict". By default, the allRolesAttribute is set to "authOnly". For example: