This week's book giveaway is in the OCPJP forum. We're giving away four copies of OCA/OCP Java SE 7 Programmer I & II Study Guide and have Kathy Sierra & Bert Bates on-line! See this thread for details.
Which are valid <auth-constraint> elements that will allow users to access resources constrained by the security role declared?
A. <auth-constraint/> B. <auth-constraint>*</auth-constraint> C. <auth-constraint>Member</auth-constraint> D. <auth-constraint>MEMBER</auth-constraint> E. <auth-constraint>"Member"</auth-constraint>
The answer given is B and C. How is option B correct ?
As per my understanding, security-role may mention n-number of roles, but only those listed in auth-constriant can make a constrained request for that resource. If no member is listed by auth-constraint then no one can make constrained request and if it is * then everyone is allowed.