I've made some progress. I can now get my test JSP to display roles using isInRole(), corresponding to what I have set in application-roles.properties.
HOWEVER, it looks like JBoss is still not enforcing the security constraint that is in the web.xml, i.e, regardless of whether or not an authenticated user has the correct role, I am still able to access the protected resource.
Is there something else that needs to be enabled in JBoss, i.e., is security enforcement disabled by default?
You'll have to add a security-domain element in jboss-web.xml of your application and point the security-domain that you want to use. The security-domain configurations can be done in the security subsystem of the standalone/domain.xml file.
P.S: I know, this might not be enough information to get you started. But right now I don't have access to the docs or tutorials which might help you with this and I'm in a hurry. So if you still have questions, feel free to ask, someone else might help.