RE: auth-constraint

Hi
Id like to know the difference between NOT having any auth-constraint and having
<auth-constraint> <role-name>*</role-name> </auth-constraint>

Is it the same ie. allowing access to EVERYBODY except for NO auth-constraint entry allows UNauthenticated access whilst the latter allows only authenticated access to everybody please?

Also is this legal please (no inner role-name)?:
<auth-constraint>Super-user</auth-constraint>

thanks a million
regards
Rina

[Removed first comment]
If you don't set any auth-contraint, everybody will be authorized to access the resource. Same as using "*" for a role-name. (Setting an empty auth-constraint will forbide anybody to access the resource).

<auth-constraint>Super-user</auth-constraint>

No, it's not valid, you have to use role-name.
[ September 13, 2007: Message edited by: Christophe Verre ]

Yes Chris but if you dont include ANY auth-constraint entry in your security-constraint, does it mean allow access to EVERYBODY even those who are UNauthenticated , i know its useless to declare in DD, but who knows what might pop up in exam to make it bit tricky?
thanks
regards
Rina

does it mean allow access to EVERYBODY even those who are UNauthenticated

Mmmh. I'm checking the spec right now, because I'm not too sure about that. I can't find anything special about it in the spec. After giving it a second thought, if no auth-constrait is set, then the resource should be accessible. (please forget my first reply)

ok thanks lots
regards
Rina