When there is no <http-method> element in <security-constraint>, all methods are protected or all are exempted ?
posted 12 years ago
Leaving out the http-method is the same as listing every one (ie <http-method>GET</http-method> <http-method>POST</http-method> etc). So it's a pretty good way to do it. If you put just one method, that opens-up a hole for other methods. In other words, if you put only <http-method>GET</http-method>, people could get to your resource through the POST method without authentication, and you may not have wanted that.