Following differences in web.xml of business-central have been found, comparing generic deployable binaries and EAP deployable binaries after enabling configuration for JAAS on Tomcat (marked as "TOMCAT-JEE-SECURITY"):

1. missing security constraint for formModeler in generic deployable binaries

2. missing url pattern for *.erraiBus in security constraint in generic deployable binaries

3. parameter of UberFire security filter org.uberfire.cookie.id="kie.ide" (generic deployable binaries) vs. "kie.ide.console" (EAP deployable binaries)

Could you please double check if those differences are correct?