This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
There are (at least) two implementations that deal with the security constraints in different ways.
1) If you don't specify a method, everybody can access it.
2) If you don't specify a method, nobody can access it.
While we could debate which is "more correct", you are stuck with the implementation chosen by your application server. In your case, that would be approach #2. Can you edit the web.xml to add an entry for get/post to allow the security you want?