I have 2 roles.
One is admin role that can see all pages.
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Pages</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
Other is it role that can see IT pages.
<security-constraint>
<web-resource-collection>
<web-resource-name>IT Pages</web-resource-name>
<url-pattern>/it/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>it</role-name>
</auth-constraint>
</security-constraint>
Here I have a page that admin and it must access, but only in case the user have both roles admin and it and not only one of them.
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin and it Pages</web-resource-name>
<url-pattern>/other/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>it</role-name>
</auth-constraint>
</security-constraint>
But the actual behavior of previous <security-constraint> is that admin or it role can access this page.
How can I achieve to apply that user must be declared to the 2 roles admin and it in order to access this page and not only one of them?
This is not possible. Roles doesn't work that way. You seem to have the meaning of roles backwards. It's perhaps easier to think of roles as permissions.
Just create a new role.