This filter can change the entity media type to text/html, which has no provider by default.
https://github.com/resteasy/resteasy/blob/main/resteasy-core/src/main/java/org/jboss/resteasy/plugins/interceptors/RoleBasedSecurityFilter.java#L50

Because of this when I follow the call chain in this way: https://github.com/resteasy/resteasy/blob/main/resteasy-core/src/main/java/org/jboss/resteasy/core/ServerResponseWriter.java#L131
the rest call will skip with NoMessageBodyWriterFoundFailure, which is not the required operation in case of giving media type by the client.

In the following call, the client expect that the response body will be in format json.
curl -o - -I -H 'accept: application/json' -X GET http://localhost:8081/customer/XXX
Instead of this the return format is in text/html.

If accept specified, i think the filter should use that.

For default, use text/plain instead of text/html. I guess in this way the error handling would be more consequent.

final String accept = requestContext.getHeaderString(HttpHeaders.ACCEPT);
throw new ForbiddenException(accept == null ? Response.status(403).entity("Access forbidden: role not allowed").type("text/plain;charset=UTF-8").build() :
        Response.status(403).type(accept).build());