I am not familiar with application server based security constraints. For the following web.xml example, I see the defined roles and which role can access the restricted resources.
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Whatever</realm-name>
</login-config>
<security-role>
<description>Administrator Role</description>
<role-name>admin</role-name>
</security-role>
<security-role>
<description>Privileged User</description>
<role-name>privileged</role-name>
</security-role>
<security-role>
<description>Guest User</description>
<role-name>guest</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Privileged area</web-resource-name>
<url-pattern>/restricted/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>privileged</role-name>
</auth-constraint>
</security-constraint>
When the first time a user makes an http request to access a restricted page, they have no role and asked for user name/password. The container may validate the user name against a database and assign the user a role (e.g. admin). Where does the container store this role so that for subsequent http requests, it knows that the request has the appropriate role to access to the resource?
It is stored in the HTTP Session in the web container. Usually, the client will receive a session ID (usually in the form of a cookie, but it doesn't have to be) on its first request to the server - or the first request to the server after its previous session has expired. The client will then send that session ID on subsequent requests. Once the client is authenticated, its security context is stored in the HTTP Session associated with the session ID. The flow would look something like this: