Technically all of those are wrong:
1. As mentioned above, your users need an SSL certificate but this can be a self-signed one, though that covers very dodgy ground which I very much doubt would be asked on the exam.
2. You would also need to declare the security-constraints for a set of resources: just having the type of auth declared is insufficient.
3. BASIC is the most widely supported; DIGEST is optional (though still almost universally supported these days)
4. "you must declare two HTML files" is at best misleading. In fact you must specify two context-relative paths (which may be
identical but must each begin with a /) for the login and error pages. These don't need to be HTML files - they could be
servlets, JSPs, PHPs or anything else which generates a valid response in the browser. This should really read: "To use FORM authentication, you must declare two
context-relative paths in your deployment descriptor, and you must use a predefined action in the
HTML form that handles your user's login.". A bit nit-picky, but accuracy is always important.