Whether /jsp/protected.jsp is a constrained resource is not important here. Just like a private method been called by another method. It all depends on the page including the /jsp/protected.jsp. So e is correct.
Joined: Apr 27, 2004
Thx for your reply. I want ask another question. <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>test</web-resource-name> <url-pattern>/jsp/protected.jsp</url-pattern> </web-resource-collection> <auth-constraint> <role-name>manager</role-name> </auth-constraint> </security-constraint> ... </web-app> If I don't define <http-method> in web-recource-collection. Does it mean that manager can't request protected.jsp by any method? or manager can request protected.jsp by any method? Which combination is correct? Thx!!
Joined: Jan 28, 2004
If you are using HFSJ, its errata is the errata! The book's original description is correct.
Anyway, without <http-method>, ALL http methods are constrained according to the <security-constraint> defined.