Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/, so only "user"'s can access pages with URL /user/ and only "manager"'s can access pages with URL /manager/*.
If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.
Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/, nor /manager/ pages - server redirects to the login page. It is OK.
But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!