In HFSJ page No 639 says, when interpreting two separate security-constraint the auth-constraint will work like,
2) Role name of "*" combines with anything else to allow access to everybody. 3) An empty <auth-constraint> tag combines with anything else to allow acces to noboddy! In other words, an empty <auth-constraint> is always the final word!.
In this what happen if the <auth-constraint> is like, A) <auth-constraint> * </auth-constraint> b) <auth-constraint/>