How do I protect e.g. /admin for users only logged in with Role "admin" in the best way using PicketLink?

This is what I would like to do (in this example I use JEE Security XML):

<security-constraint>

<web-resource-collection>

  <web-resource-name>welcome page</web-resource-name>

<url-pattern>/admin/*</url-pattern>

</web-resource-collection>

  <auth-constraint>

  <role-name>admin</role-name>

  </auth-constraint>

  <user-data-constraint>

  <transport-guarantee>CONFIDENTIAL</transport-guarantee>

  </user-data-constraint>

</security-constraint>

<security-constraint>

  <web-resource-collection>

  <web-resource-name>welcome page</web-resource-name>

<url-pattern>/member/*</url-pattern>

</web-resource-collection>

  <auth-constraint>

  <role-name>member</role-name>

  </auth-constraint>

</security-constraint>

<!-- Configure form authentication -->

<login-config>

  <auth-method>FORM</auth-method>

  <form-login-config>

  <form-login-page>/pages/login.xhtml</form-login-page>

  <form-error-page>/pages/login-error.xhtml</form-error-page>

  </form-login-config>

</login-config>

<!-- Define application roles -->

<security-role>

  <role-name>admin</role-name>

</security-role>

<security-role>

  <role-name>member</role-name>

</security-role>

<security-role>

  <role-name>guest</role-name>

</security-role>

But this JEE Security xml code does not work if not configured properly (of course).

What is the best way to implement this using PicketLink? Is it to integrate JEE Security somehow? Am I suppose to do like the SSO examples? Although I do not need SSO. Should I still implement SSO just for this feature?

Or is there some way to use the PicketLink Authentication Filter to solve the same problem? Like this question: http://stackoverflow.com/questions/24657169/how-to-customize-picketlink-authenticationfilter

I hope you understand my usecase, I guess it is quite common. Please ask me otherwise and I will try to explain it better.

Thank you for answering in advance!
/Susanne