first of all your url-pattern is not right. it should follow the proper rules . now the security contraint you defined says this :
the POST method is constrained. it means not everybody can post on the given url-pattern. only users whose role is either MEMBER OR ADMIN can POST on the url-pattern. rest anybody including MEMBER, ADMIN OR GUEST can GET, TRACE, HEAD etc(all the methods except POST) on the url-pattern. also keep in mind anybody can GET on the
pattern but if you havent overriden doGet then it will throw 405 method not supported status code(this is but obvious). i hope i clear your doubt