During the creation of a second version of the MP JWT example [1] I found a bug related with the enforcement of the @RolesAllowed validation.
I created https://issues.apache.org/jira/browse/TOMEE-2357 with the details. If nobody is currently working on this issue, I would like to request to JIRA admins to assign the ticket to me so I can work on the fix this week. [1] email thread: "MP JWT example revisited" -- Atentamente: César Hernández Mendoza.