HI ,
This question has been discussed extensively before itself
And the verdict is when there is no http-method no methods are constrained
In fact one of them had tried out the possible combinations and this is
how it worked
*** Combination of http-method and auth-constraint
--------------------------------------------------------------------
http-methodauth-constraintresult
--------------------------------------------------------------------
none none OK. no login asked
none blank 403 forbidden
none role-name
tomcat valid login allowed
invalid login not allowed
GET none OK. no login asked
GET blank 403 forbidden
GET role-name tomcat valid login allowed
invalid login not allowed
--------------------------------------------------------------------
Additional explanation and scenarios
1.
<security-constraint>
.....
<http-method>GET</http-method>
<security-constraint>
(ie no <auth-constraint> )
<auth-constraint> NOT being there is same as <auth-costraint>*</auth-costraint>. So, ALL users can access GET method on the give url-pattern. For all other http - methods, ALL can access them. Hence, in this case, ALL users can access ALL methods on given url-pattern.
2.
<security-constraint>
..........
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
(ie no HTTP method)
You are right. If NO http-method is specified, the security constraint applies to all methods. So, admin has access to ALL methods. Also, everybody other than the admin also have access to ALL methods. Hence, everybody has access to ALL methods on the url-pattern.
3
<security-constraint>
.....
<http-method>GET</http-method>
</auth-constraint>
<security-constraint>
(ie empty auth-constraint with no role names )
I think firstly, that </auth-constraint> is an error.
To depict an empty tag, use <auth-constraint />Next, this specifies that NOBODY has access to the GET method on the given url-pattern. For all other http methods(besides GET), everybody has access to them on the given url-pattern.
In fact, there is a very good example in the specs: SVR.12.8.2, Page 98. with a nice matrix as solution.
Thanks
Shiva