1.
<security-constraint>
.....
<http-method>GET</http-method>
<security-constraint>
(ie no <auth-constraint> )
<auth-constraint> NOT being there is same as <auth-costraint>*</auth-costraint>. So, ALL users can access GET method on the give url-pattern. For all other http - methods, ALL can access them. Hence, in this case, ALL users can access ALL methods on given url-pattern.
<security-constraint>
..........
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
(ie no HTTP method)
You are right. If NO http-method is specified, the security constraint applies to all methods. So, admin has access to ALL methods. Also, everybody other than the admin also have access to ALL methods. Hence,
everybody has access to ALL methods on the url-pattern.
<security-constraint>
.....
<http-method>GET</http-method>
</auth-constraint>
<security-constraint>
(ie empty auth-constraint with no role names )
I think firstly, that </auth-constraint> is an error.
To depict an empty tag, use <auth-constraint />Next, this specifies that NOBODY has access to the GET method on the given url-pattern. For all other http methods(besides GET),
everybody has access to them on the given url-pattern.
Please make sure u have the errata marked on ur copy of HFSJ, then the whole concept is crystal clear from the book itself.
In fact, there is a very good example in the specs: SVR.12.8.2, Page 98. with a nice matrix as solution.
Hope this helps!
Regards,
Ruchi.
[ June 01, 2005: Message edited by: Ruchi Kumar ]