Information
The allRolesMode within JBOSS_HOME/server/@PROFILE@/deploy/jbossweb.sar/server.xml must be set to strict for production environments. This requires the authenticated user to be assigned to one of the web-app/security-role/role-name roles in order to be authorized.
Solution
<Realm className="org.jboss.web.tomcat.security.JBossWebRealm" certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" allRolesMode="strict" />