diff --git a/jetty-ee10/jetty-ee10-webapp/src/main/java/org/eclipse/jetty/ee10/webapp/StandardDescriptorProcessor.java b/jetty-ee10/jetty-ee10-webapp/src/main/java/org/eclipse/jetty/ee10/webapp/StandardDescriptorProcessor.java
index 40b1f64e7aa..b1f783ddc07 100644
--- a/jetty-ee10/jetty-ee10-webapp/src/main/java/org/eclipse/jetty/ee10/webapp/StandardDescriptorProcessor.java
+++ b/jetty-ee10/jetty-ee10-webapp/src/main/java/org/eclipse/jetty/ee10/webapp/StandardDescriptorProcessor.java
@@ -1312,7 +1312,11 @@ public class StandardDescriptorProcessor extends IterativeDescriptorProcessor
                 {
                     case ConstraintSecurityHandler.ANY_KNOWN_ROLE -> // "*"
                     {
-                        if (scBase.getAuthorization() == null)
+                        //The hierarchy of role authorizations is:
+                        // ANY_USER
+                        // KNOWN_ROLE
+                        // SPECIFIC_ROLE
+                        if (scBase.getAuthorization() != Constraint.Authorization.ANY_USER)
                         {
                             scBase.authorization(Constraint.Authorization.KNOWN_ROLE);
                             roles = null;