No rishi and peter, i hv an opposite opinion to that. No user is allowed to access that resource collection if u will not declare auth-conatraint for that security contraint. I m quoting page no - 85 of Servlet Specification:
An authorization constraint is a set of security roles at least one of which users must belong for access to resources described by the web resource collection. If the user is not part of an allowed role, the user must be denied access to the resource requiring it. If the authorization constraint defines no roles, no user is allowed access to the portion of the web application defined by the security constraint.
I m asking some more person to post their Ideas here. Best regards, Dharmin
SCJP2 (93%),SCWCD(88%)<br />-------------------------------<br />Never under estimate yr self, just represent yr profile in proper manner.