The WildFly Swarm MP JWT implementation works by scanning for JAX-RS classes and converting the security annotations to <security-constraint>-s in web.xml. This only allows distinguishing requests by URL and HTTP method. This, however, isn't sufficient to describe all JAX-RS possibilities. Consider this JAX-RS resource:
This is a 100% valid JAX-RS. The method to be called is selected by URL and by the Accept header. (This is BTW often used by people building more complex REST APIs, where they want to serve the same resource in multiple representations.) Our implementation of MP JWT isn't able to honor the @RolesAllowed annotations properly; the plain method can be called by users in the web role et vice versa.