All the posts and topics that contain only an error report will be moved here after the error is corrected. This is to ensure that when users view a question in ETS Viewer, the "Discuss" button will not indicate the presence of a discussion that adds no value to the question.
The second option "specify a security-role element for boss in the web.xml." is also correct.
<security-role-ref> elements are used when you want to create a link - roles that you have want to use in your application are not consistent with roles used in the code, but there is no problem if declared roles inside web.xml(using <security-role> element) are matching the roles used in the servlet code.