hi, Yes dude i think u are right well atleast thats what the HFS book says.... "if there were not <http-method> elements in the <web-resource-collection>, it would mean that NO HTTP methods are allowed by anyone in any role...".. well i too have the same interpretation as u \ Regards Simon
The auth-constraint apply to the combination of URL pattern + http method. The access permission is granted to the user/roles definded in the <auth-constraint> for the combination of url pattern and http method. Here there is no http-method definded. so the access granted to URL Pattern + ALL http methods.
My point is that if no http-method specified, It assume that all the methods are constraints and give permission to only the role name defined in the <auth-constraint> sub-entry.
If you specify only one http-method say POST. Any user can access the resource without any authentication for the http-method other than POST. Even the container does not display your authentication screen for these methods as your resource is not secure for these methods. But for the POST method, the user must be authenticated and must be match to the role names specified in the <auth-constraint>.
Also you can access the resource, if the corresponding doXXX method defined in the servlet. If other methods in the Servlet other than POST is not implemented, then there is no use to apply constaint for all methods in most of cases as the default implementation throw exception.