here if user role is member then that user can access GET method of /TestConnectionServlet but any other user with other role can access any method of TestConnectionServlet except GET method.
if above statement is correct then if i remove <http-method> then according to Head First
if there is no <http-method> in <web-resource-collection> , it would mean that NO HTTP methods are allowed by anyone in any role.
so assume that i removed <http_method> then i should not get access of TestConnectionServlet.
but still i m getting the access. WHY ?
This means when /TestConnectionServlet is accessed using GET http Method, allow only Member after user's authentication. Rest http methods are not constrained (No restrictions).
If you have <http-method>, only those methods which are explicitly mentioned are constrained. Remember the constraints are not set at resource levels, they are set for http methods only ! So when you remove the <http-method> totally, it means only allow member to access that resource for all methods.
Regards, Suhas S. Mandrawadkar.
Certifications: SCJP 6, SCWCD 5, Oracle WebLogic Server Administrator, OCE Java EE 6 EJB Developer
subject: <security-constraint> in web.xml (http-method)