When <auth-constraint>*</auth-constraint> , the container does not check the <security-role>. The access is given to every one. This is default, as good as , no security mechanism is applied to application. Even the login screen (Form and basic authentication) will not appear for this constraint.
Narendra, As per the question, security is given only to member and not to all. My question and how the answer has appeared is totally different. Security is given to member and to all. Can you explain why everyone was chosen when member alone should have been chosen? Thanks, Padma priya N.G.
Joined: Dec 04, 2004
You define the resource using the <web-resource-collection> and the secure the resource using <auth-constraint> to tell the container only the these role has access to this area. If there is * in <role-name> under <auth-constraint> then all users are permitted including Member. If you want to give access to only Member, then the * is not valid.
The <auth-constraint> element have <role-name> sub tag, therefore the entries defined in your example are invalid.