In the EAP 7.1 documentation, in the "Chapter 2. How to Set Up SSO for JBoss EAP with Kerberos", as under the section of "2.5. Configuring the Web Application" [1], there is a given example of web.xml file, where we can read the following:

...
<role-name>All</role-name>
...

The security role "All" was used, but this has to be set the role "*" using a wildcard in order to let any authenticated user access the web application in JBoss.

The same should be also corrected in the the EAP 7.0 documentation, in the "Chapter 2. How to Set Up SSO for JBoss EAP with Kerberos", as under the section of "2.1.5. Configuring the Web Application" [2].

Please read kcs https://access.redhat.com/solutions/48201 for more on why the JBoss EAP requires that the '*' role be defined in the web.xml file to let any authenticated user access the web application in JBoss.

[1] https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html-single/how_to_set_up_sso_with_kerberos/#configuring_the_web_application
[2] https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/how_to_set_up_sso_with_kerberos/index#configuring_the_web_application