1. In a web application, is it better to handle security Declaratively or Programmatically?
I feel the generic answer should be Declaratively. However, as the question mentions specifically about security, I would answer programmatically. Setting the securities using the annotations makes sure they are not altered easily(unless a new jar is built and deployed).
Whizlabs says Declaratively. What is your opinion?
2. How many HTTP methods are there?
Whizlabs says 7. In my opinion answer is 9[ GET, POST, PUT, DELETE, TRACE, OPTIONS, HEAD, CONNECT, PATCH ]. What do you think?
For your first question , I think you are thinking too deep.
Isn`t it will be great to handle security programmaticaly rather than coding your security logic into servlet code.
And for your second question , the question is asking about doXXX() methods , not the methods that you can request to web server.
In HttpServlet (abstract class) we have doDelete() , doOptions() , doGet() , doPut() , doPost() , doTrace() ,doHead() .
so only 7 methods .