with the tomcatAuthentication flag artificially set to false, it is not possible to make use of the security-domain configuration, namely its authorization configuration. The reason here is that the JBoss's class org.jboss.as.web.security.JBossWebRealm that evaluates the user's role, delegates to the Tomcat class org.apache.catalina.realm.RealmBase. The RealmBase uses the following code:
The authorization evaluation will always yield false since the Principal created using the Apache's AJP13_FORWARD_REQUEST?remote_user data is of class org.apache.catalina.connector.CoyotePrincipal, not org.apache.catalina.realm.GenericPrincipal created normally during form based authentication. But the story does not end here either.