In page 669 of Head First Jsp & Servlet book, It says
both has the same effect.
But when I tested using above two configurations
*). For the first security constraint configuration, browser asks for a user name and password and let a user with any role to access the page after authentication.
*). But for the second security constraint configuration, browser does not ask any authentication details and allow any user (users with any role + anonymous users) to access to the resource.
I am using tomcat 7 and I would like to know whether this is a vendor specific behavior or this is the accurate behavior defined in the specs. I think what is mentioned in the book is incorrect.
Tomcat Access Log:
What you posted in your web.xml is different from what you stated in the original problem. In your problem statement you say you are using an empty tag, but in your web.xml you are using the not included tag.
Remember that there is a difference between an empty tag and no tag.
What I have mentioned in the start of my post is the way that it is in the book. But in there I have not included an empty tag for auth-constraint. In that code block, I have put a comment inside <security-constraint> tag saying without auth-constraint element. I have put the code same way as it shown in the book, that is without <web-resource-collection> tag inside <security-constraint> tag, although <web-resource-collection> tag should be there.
And I have put some comments in the places where the <auth-constraint> tag should be if it is using. I can not see any conflict between what I have said in the problem and my web.xml. I have not used any empty <auth-constraint> tags in any of code blocks. If you still thinking there is a such problem exists, Can you please clarify little bit more?
Thanks & Regards,
Thanks for the response.
That is what I assumed about this issue in the first place. For the first case, Authors have correctly pointed out "If an <auth-constraint> does not exists, Container MUST allow unauthenticated access for the relevant URLs" in page 668. But after that what they have said in examples and exercises related to this topic is misleading, it seems they have used the term "Everybody" for two meanings without noticing it.
Thanks & Regards,
subject: Mistake in HFSJ? : Without auth-constraint and with role-name * in auth constraint