In HFSJ first edition page no 634 it is said that "if no <http-method> is specified then that means none of the http-methods are allowed
In Page no 660 it is said that "we left off <http-method> so that no http-methods are accessible by any one apart from Admin
It is confussing when we wont specify http-method in such cases none of them are able to access any of the http-methods but in second case even though we have not specified http-method by specifying the <role-name> Admin </role-name> how Admin will be able to access all the http-methods but not others. I think even Admin should not be able to have access to any of the http-methods becuase we have no specified http-methods in web.xml is that correct?
Joined: Jul 25, 2008
if role-name is specified , only the specfied role name can access the resource with that specified http method.
if the http-method tag is not there, all the HTTP methods are constrained.
so , all the methods can be used to access the resource by the Admin which is role specified in role-name.