Actually I have no idea why, but the following configuration solved my problem.
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL Secured WebService</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Authenticated customers only</web-resource-name>
<url-pattern>/services/customers/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>CUST</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The <user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
needs to be added in each <security-constraint>
otherwise it won't work for JBoss. The interesting thing is that for Tomcat you have to define the <transport-guarantee>CONFIDENTIAL</transport-guarantee>
just once a time for the <url-pattern>/*</url-pattern>
and everything is secured properly. In my opinion this is much more reasonable!