According to HFSJ, an empty <auth-constraint> element combines with anything to ensure that nobody has access to the constrained resource, while ignoring <auth-constraint> element ensures that all have access. What if the two are mentioned together in a DD, for the same <web-resource-collection> ? [ December 11, 2005: Message edited by: Subramanian PN ]
This is explained in the servlet spec (SRV. 12.8.1 Combining Constraints)
"The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded."