You don't redefine security roles in web.xml
. You list them so an application server knows about their use in your code.
When you deploy a secured application, an application server reads a deployment descriptor to solicit information about security configuration. It knows about roles that are used in your application. The application can then use the roles and expect the application server is able to map them to users and groups (that ultimately resolve to users again as users are the security finest building blocks).
Speaking of mapping roles to users, that's where a realm comes in. It offers the mapping so you know that a role X in a deployment descriptor maps to the role X in a database that in turn map to users A and B.
With that said, the database that's used by jdbcRealm has exactly the same roles because they're the keys to users that the application server needs to map to roles in the application.
What you use in your code and a deployment descriptor is a logical name of a group of users that are resolved to real users via the mapping that's offered by the jdbcRealm.