I think the confusion might arise when you take the concept of "allowed" (whatever that means), confuse it with "constrained", and then apply concepts like "all" or "none" to either one, interchangeably.
A
security-constraint is applied to a
web-resource-collection. Optionally, the web-resource-collection might have fine-grained
http-methods.
So if your constraint for certain resources contains no method specifications, then the constraint is applied to "all" (since applying it to "none" wouldn't make any sense; what was the point?).
The moment you specify at least one method, the constraint is only applied against the (list of) method(s). If you specify only one method then, the constraint only applies when accessed by that method.
Without looking at the book and knowing the context, and from the errata alone, I can venture that it should (might?) have been written as:
"If there are NO <http-method> elements, in the <web-resource-collection>, it would mean that ALL HTTP Methods are constrained."
I reserve the right to change my mind after looking at page {634}
[ November 23, 2004: Message edited by: Mike Curwen ]