The answer given is B and C. I would have thought the correct answer was only B. The reason I say this is that can you specify the role name in auth-constraint without putting the role name inside a <role-name> ? I thought not. I check the errata but found no mention of it.
I would have though that if B was as below then it would be correct: