Okay I have figured out what was wrong in my 9.1 U2 deployment. Tomcat was letting us get away with not listing all the roles using <security-role> in the web.xml. In Glassfish if the roles aren't listed the HttpServletRequest.isUserInRole() will return false, but <auth-constraint> will still work. Another case of Tomcat allowing applications to violate the specs.
[Message sent by forum member 'pwardrip' (pwardrip)]
http://forums.java.net/jive/thread.jspa?messageID=325051