http-method element in web-resource-collection

Hi guys,
i was reading through HFS
then i confused about http-method element in web-resource collection

the book says on pg 634
if there were No <http-method> elements in the <web-resource-collection>,it would mean that NO HTTP Methods are allowed,

but errataweb page says

"If there were NO <http-method> elements in the <web-resource-collection>, it would mean that NO HTTP Methods are allowed, by ANYONE in any role."
should be:
"If there are NO <http-method> elements, in the <web-resource-collection>, it would mean that ALL HTTP Methods are allowed."

I trust errata rather than printed book because its being regulary updated

but on pg 635 again Lower box, 1) point(after 4 th paragraph)
"Do not specify ANY <http-method> elements in the <security-constraint>
which means that ALL methods are constrained"

i am totally confused .. is it allowed or constraint??
can any body help me out of this?
I would like know 2 conditions
when
1. no <http-method> specified
2. <http-method /> is empty
what will happen in both cases ,
It would be great for me if you answer those questions


thanks
sundar

It looks like the box on 634, the 8th and 9th points support the last two points on page 635. So if you go by democracy, those would win.

The spec is about as clear as mud on the topic, so I think you'll just have to try it (and then you need to have faith that your implementation is correct).

--Dale--

This is what I received while testing on Tomcat 5.0.28 using MyEclipse IDE Workbench

Case 1:

If I place an empty <http-method/> in the DD, MyEclipse warns me with the following message

cvc-enumeration-valid: Value '' is not facet-valid with respect to enumeration '[GET, POST, PUT, DELETE, HEAD, OPTIONS, TRACE]'. It must be a value from the enumeration.web.xmlSCWCD/WebRoot/WEB-INFline 133January 22, 2005 11:00:33 PM

If I publish despite the above warning, any requests that match <url-pattern> specified in <web-resource-collection> are processed without authentication (seems like server ignore them).

Case 2:

If I remove <http-method> completely from <web-resource-collection>, seems that all methods are constrained - the server demands authentication (I use the BASIC authentication so a dialog pops up)

Case 3:

If the only method specified in <http-method> is POST and I submit a form with method set to POST (to trig doPost()) - the server demands authentication.

If I request GET method by for example typing an url in the browser - the server does not demand authentication.


Looks like case matters!! If I type say <http-method>Get</http-method> (expecting that the GET method will be constrained) Tomcat does not return an error - just ignores it and the method is NOT constrained.

But are they general rules or just Tomcat rules??

Hope this helps (at least a little bit)


Cheers,
Krzysiek

I was similarly confused :

earlier post

Try to correct it this way:

{634} hand written comment at the bottom;
"If there were NO <http-method> elements in the <web-resource-collection>, it would mean that NO HTTP Methods are allowed, by ANYONE in any role."
should be:
"If there are NO <http-method> elements, in the <web-resource-collection>, it would mean that ALL HTTP Methods are CONSTRAINED."


{634} Key points about <web-resource-collection>;
If no HTTP Methods are specified then ALL Method will be constrained!!
should not be changed !!!
[ January 27, 2005: Message edited by: Jerzy Wobalis ]