I am confused about something on p. 660 of the Head First book.
Here is the security constraint they are working with:
At the bottom right of the page it says "We left off <http-method> so that NO HTTP Methods are accessible to anyone except Admins."
But if you look back on p. 634, it says on the comment at bottom right:
"If there were NO <http-method> elements in the <web-resource-collection>, it would mean that NO HTTP Methods are allowed, by ANYONE in any role."
I may be missing something here, but I thought that leaving them out would mean NO methods allowed for anyone.
(I checked in the errata and didn't see anything on this.)