Here is another one, the combination of <auth-constraint/> with no <auth-constraint>.
The spec and HFSJ both mentioned the combination of <auth-constraint/> with others and empty <auth-constraint> with others, but didn't mention which wins when these two are combined.
I tested in tomcat 5.5, the result is that the request is allowed without authentication.
Anyone can confirm this is the behaviour of the spec? Did I miss something form the spec?