Suppose the DD has two roles defined - Admin and User.
Suppose there are two <security-constraint> elements in th DD. Both constrain the same
resource. One of them DOES NOT have a <auth-constraint> element.
When I requested /mini/yes in Tomcat 5.5 it did NOT ask for any authentication i.e.
it allows unauthenticated access to all the roles. There is a similar question in Katy Sierra Mock Exam (2nd Edition) - Q 30 . According to the Errata , only "user" role should be allowed access . WHY?
The Servlet Spec says ( which is not very clear ) :-
"A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access."
My question is when combining constraints if one of the <security-constraint> element has NO <auth-constrain> how will it combine with others