This issue was discovered while updating the TODO app to use aerogear-controller and aerogear-security-picketlink. The problem is that it should be enough that a user belongs to one of the roles, to be allowed access to the protected resource. This task should update the hasRoles method to return true the logged-in users has any of the roles passed in.