If we do not specify <http-method> inside <security-constraint> then NO one can access the resource provided in the <url-pattern> irrespective of the content of <auth-constraint>
Your statement is wrong. If you don not specify http-method , then by default all HTTP methods will be constrained. For example: <security-constraint> <web-resource-collection> <web-resource-name>a</web-resource-name> <url-pattern>/Testsample</url-pattern> </web-resource-collection> <auth-constraint> <role-name>manager</role-name> </auth-constraint> </security-constraint>
In this example only users with role as "managers" will be able to make any HTTP requests(GET,POST,HEAD,PUT,TRACE,OPTIONS,DELETE) on the resource Testsample.Other users will not be able to make any HTTP request on the resource Testsample. If no <auth-constraint> is present in the above case,everyone will given access the make any HTTP request on Testsample. If empty <auth-constraint/> is present in above case, no body will be able to make any HTTP request on Testsample.
Hi, Swapna,That is correct. If no <http-method> is specified in <web-resource-collection> element, then all the HTTP Methods are restrained and only roles mentioned in <auth-constraint> can access those resources.
If you ask me anything I don't know, I'm not going to answer.<br />--Yogi Berra