It is not necessary to list the roles in both places.
The security roles defined in application.xml apply to all modules in the enterprise application. For each module, these roles will be combined with the security roles defined in the module's deployment descriptor (web.xml for web application modules). So basically if you have a multi-module enterprise application that shares roles, you can declare them all in one place. But note that you don't have to declare any role names in the deployment descriptors if you reference all roles via @DeclareRoles and @RolesAllowed annotations, but you still can to give them full descriptions.
From Section EE 8.4.1 of the Java EE Platform Specification (v7):
"Descriptions of role names that are used by many components of the application can be included in the application-level deployment descriptor."
And from Section 8.5.2:
"When presenting security role descriptions to the Deployer...." goes on to say that what's in application.xml overrides individual modules, if they both specify the same role name.