please consider the following question as copied from the hfsj book :
Given these fragments from within a single tag in a Java EE DD:
Which are true? (Choose all that apply.)
A. A Java EE DD can contain a single tag in which all of these tags can legally co-exist.
B. It is valid for more instances of <auth-constraint> to exist within the single tag described above.
C. It is valid for more instances of <user-data-constraint>
to exist within the single tag described above.
D. It is valid for more instances of <url-pattern> to exist within the <web-resource-collection> tag described above.
E. It is valid for other tags of the same type as the single encasing tag described above to have the same <url-pattern> as the tag above.
F. This tag implies that authorization, authentication, and data integrity security features are all declared for the web application.
the book says option A, B, D, E, F as the correct answers.
while i understood optin A D and E i had doubt about B and F. lets come to option F first. i made a sample program without <login-config> element but WITH <security-constraint> element. when i tried to access constrained resource it gave me 403 access denied error. option f says that the above xml snippet(in the question) declared authenticatin, authorisation and data integrity. while authorisation and data integrity are undersood , it is not true for authentication. we cant predict whether it has declared authentication . it is true that for before authorisation , authentication has to happen and by 403 error we know that the user needs to be authenticated but the exact elements are not declared in the xml file.
option B is wrong unless i misinterpreted the question. i put more than 1 auth-constraint tags inside <Security-constraint> and the web.xml gave error. so in my opinion option B and option f should be rules out unless somebody interprets quesiton in a way that they are true. please respond if somebody else had doubt in the same question ?